108 files changed, 10341 insertions, 9955 deletions

diff --git a/security/coreconf/.cshrc b/security/coreconf/.cshrc
deleted file mode 100644
index 659e4f7aa..000000000
--- a/security/coreconf/.cshrc
+++ /dev/null
@@ -1,273 +0,0 @@
-#!/bin/csh
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Startup file for csh and tcsh.  It is meant to work on:
-#
-#	SunOS 4.1.3_U1,
-#	Sun Solaris,
-#	Sun Solaris on Intel,
-#	SGI IRIX,
-#	SGI IRIX64,
-#	UNIX_SV,
-#	IBM AIX,
-#	Hewlett-Packard HP-UX,
-#	SCO_SV,
-#	FreeBSD,
-#	DEC OSF/1,
-#	Linux,
-#	and everything else.
-#
-
-###############################################
-# Set operating system name and release level #
-###############################################
-
-set os_name=`uname -s`
-set os_release=`uname -r`
-
-##########################################################
-#  Set environment variables based upon operating system #
-##########################################################
-
-if ($os_name == "SunOS" && $os_release == "4.1.3_U1") then
-	##############################
-	# SunOS 4.1.3_U1
-	#
-
-	setenv NO_MDUPDATE 1
-
-	set path = (	/tools/ns/soft/gcc-2.6.3/run/default/sparc_sun_sunos4.1.3_U1/bin \
-			/tools/ns/bin \
-			/sbin \
-			/usr/bin \
-			/usr/openwin/bin \
-			/usr/openwin/include \
-			/usr/ucb \
-			/usr/local/bin \
-			/etc \
-			/usr/etc \
-			/usr/etc/install \
-			. )
-
-else if ($os_name == "SunOS") then
-	################################
-	#  Assume it is Sun Solaris
-	#
-
-	# To build Navigator on Solaris 2.5, I must set the environment
-	# variable NO_MDUPDATE and use gcc-2.6.3.
-	setenv NO_MDUPDATE 1
-
-	set path = (	/share/builds/components/jdk/1.2.2_01/SunOS \
-			/usr/ccs/bin \
-			/usr/opt/bin \
-			/tools/ns/bin \
-			/usr/sbin \
-			/sbin \
-			/usr/bin \
-			/usr/dt/bin \
-			/usr/openwin/bin \
-			/usr/openwin/include \
-			/usr/ucb \
-			/usr/opt/java/bin \
-			/usr/local/bin \
-			/etc \
-			/usr/etc \
-			/usr/etc/install \
-			/opt/Acrobat3/bin \
-			. )
-
-	# To get the native Solaris cc
-	if (`uname -m` == i86pc) then
-		set path = (	/h/solx86/export/home/opt/SUNWspro/SC3.0.1/bin \
-				$path )
-	else
-		set path = (	/tools/ns/workshop/bin \
-				/tools/ns/soft/gcc-2.6.3/run/default/sparc_sun_solaris2.4/bin \
-				$path )
-	endif
-
-	setenv LD_LIBRARY_PATH /share/builds/components/jdk/1.2.2_01/SunOS/lib/sparc/native_threads
-
-	setenv MANPATH /usr/local/man:/usr/local/lib/mh/man:/usr/local/lib/rcscvs/man:/usr/local/lib/fvwm/man:/usr/local/lib/xscreensaver/man:/usr/share/man:/usr/openwin/man:/usr/opt/man
-
-	# For Purify
-	setenv PURIFYHOME /usr/local-sparc-solaris/pure/purify-4.0-solaris2
-	setenv PATH ${PURIFYHOME}:$PATH
-	setenv MANPATH $PURIFYHOME/man:$MANPATH
-	setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:$PURIFYHOME
-	setenv PURIFYOPTIONS "-max_threads=1000 -follow-child-processes=yes"
-
-else if ($os_name == "IRIX" || $os_name == "IRIX64") then
-	#############
-	#  SGI Irix
-	#
-
-	set path = (	/share/builds/components/jdk/1.2.1/IRIX \
-			/tools/ns/bin \
-			/tools/contrib/bin \
-			/usr/local/bin \
-			/usr/sbin \
-			/usr/bsd \
-			/usr/bin \
-			/bin \
-			/etc \
-			/usr/etc \
-			/usr/bin/X11 \
-			. )
-
-else if ($os_name == "UNIX_SV") then
-	#################
-	# UNIX_SV
-	#
-
-	set path = (	/usr/local/bin \
-			/tools/ns/bin \
-			/bin \
-			/usr/bin \
-			/usr/bin/X11 \
-			/X11/bin \
-			/usr/X/bin \
-			/usr/ucb \
-			/usr/sbin \
-			/sbin \
-			/usr/ccs/bin \
-			. )
-
-else if ($os_name == "AIX") then
-	#################
-	#  IBM AIX
-	#
-
-	set path = (	/share/builds/components/jdk/1.2.2/AIX \
-			/usr/ucb/ \
-			/tools/ns-arch/rs6000_ibm_aix4.1/bin \
-			/tools/ns-arch/rs6000_ibm_aix3.2.5/bin \
-			/share/tools/ns/soft/cvs-1.8/run/default/rs6000_ibm_aix3.2.5/bin \
-			/bin \
-			/usr/bin \
-			/usr/ccs/bin \
-			/usr/sbin \
-			/usr/local/bin \
-			/usr/bin/X11 \
-			/usr/etc \
-			/etc \
-			/sbin \
-			. )
-
-else if ($os_name == "HP-UX") then
-	#################
-	# HP UX
-	#
-
-	set path = (	/share/builds/components/jdk/1.1.6/HP-UX \
-			/usr/bin \
-			/opt/ansic/bin \
-			/usr/ccs/bin \
-			/usr/contrib/bin \
-			/opt/nettladm/bin \
-			/opt/graphics/common/bin \
-			/usr/bin/X11 \
-			/usr/contrib/bin/X11 \
-			/opt/upgrade/bin \
-			/opt/CC/bin \
-			/opt/aCC/bin	\
-			/opt/langtools/bin \
-			/opt/imake/bin \
-			/etc \
-			/usr/etc \
-			/usr/local/bin \
-			/tools/ns/bin \
-			/tools/contrib/bin \
-			/usr/sbin \
-			/usr/local/bin \
-			/tools/ns/bin \
-			/tools/contrib/bin \
-			/usr/sbin \
-			/usr/include/X11R5 \
-			. )
-
-else if ($os_name == "SCO_SV") then
-	#################
-	# SCO
-	#
-
-	set path = (	/bin \
-			/usr/bin \
-			/tools/ns/bin \
-			/tools/contrib/bin \
-			/usr/sco/bin \
-			/usr/bin/X11 \
-			/usr/local/bin \
-			. )
-
-else if ($os_name == "FreeBSD") then
-	#################
-	# FreeBSD
-	#
-
-	setenv PATH /usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/java/bin:/usr/local/bin:/usr/ucb:/usr/ccs/bin:/tools/contrib/bin:/tools/ns/bin:.
-
-else if ($os_name == "OSF1") then
-	#################
-	# DEC OSF1
-	#
-
-	set path = (	/share/builds/components/jdk/1.2.2_3/OSF1 \
-			/tools/ns-arch/alpha_dec_osf4.0/bin \
-			/tools/ns-arch/soft/cvs-1.8.3/run/default/alpha_dec_osf2.0/bin \
-			/usr/local-alpha-osf/bin \
-			/usr3/local/bin \
-			/usr/local/bin \
-			/usr/sbin \
-			/usr/bin \
-			/bin \
-			/usr/bin/X11 \
-			/usr/ucb \
-			. )
-
-else if ($os_name == "Linux") then
-	#################
-	# Linux
-	#
-
-	set path = (	/share/builds/components/jdk/1.2.2/Linux \
-			$path )
-
-endif
-
-###############################
-# Reset any "tracked" aliases #
-###############################
-
-rehash
diff --git a/security/coreconf/.profile b/security/coreconf/.profile
deleted file mode 100644
index 5474405e2..000000000
--- a/security/coreconf/.profile
+++ /dev/null
@@ -1,216 +0,0 @@
-#!/bin/sh
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Startup file for sh, ksh and bash.  It is meant to work on:
-#
-#	SunOS 4.1.3_U1,
-#	Sun Solaris,
-#	Sun Solaris on Intel,
-#	SGI IRIX,
-#	SGI IRIX64,
-#	UNIX_SV,
-#	IBM AIX,
-#	Hewlett-Packard HP-UX,
-#	SCO_SV,
-#	FreeBSD,
-#	DEC OSF/1,
-#	Linux,
-#	and everything else.
-#
-
-###############################################
-# Set operating system name and release level #
-###############################################
-
-OS_NAME=`uname -s`
-export OS_NAME
-
-OS_RELEASE=`uname -r`
-export OS_RELEASE
-
-##########################################################
-#  Set environment variables based upon operating system #
-##########################################################
-
-case $OS_NAME in
-
-	SunOS)
-		##############################
-		# Sun
-		#
-
-		case $OS_RELEASE in
-
-			4.1.3_U1)
-				##############################
-				# SunOS 4.1.3_U1
-				#
-
-				NO_MDUPDATE=1
-				export NO_MDUPDATE
-
-				PATH=/tools/ns/soft/gcc-2.6.3/run/default/sparc_sun_sunos4.1.3_U1/bin:tools/ns/bin:/sbin:/usr/bin:/usr/openwin/bin:/usr/openwin/include:/usr/ucb:/usr/local/bin:/etc:/usr/etc:/usr/etc/install:.
-				export PATH
-				;;
-
-			*)
-				################################
-				#  Assume it is Sun Solaris
-				#
-
-				# To build Navigator on Solaris 2.5, I must set the environment
-				# variable NO_MDUPDATE and use gcc-2.6.3.
-				NO_MDUPDATE=1
-				export NO_MDUPDATE
-
-				PATH=/share/builds/components/jdk/1.2.2_01/SunOS:/usr/ccs/bin:/usr/opt/bin:/tools/ns/bin:/usr/sbin:/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/openwin/include:/usr/ucb:/usr/opt/java/bin:/usr/local/bin:/etc:/usr/etc:/usr/etc/install:/opt/Acrobat3/bin:.
-				export PATH
-
-				# To get the native Solaris cc
-				OS_TEST=`uname -m`
-				export OS_TEST
-
-				case $OS_TEST in
-
-					i86pc)
-						PATH=/h/solx86/export/home/opt/SUNWspro/SC3.0.1/bin:$PATH
-						export PATH
-						;;
-
-					*)
-						PATH=/tools/ns/workshop/bin:/tools/ns/soft/gcc-2.6.3/run/default/sparc_sun_solaris2.4/bin:$PATH
-						export PATH
-						;;
-				esac
-
-				LD_LIBRARY_PATH=/share/builds/components/jdk/1.2.2_01/SunOS/lib/sparc/native_threads
-				export LD_LIBRARY_PATH
-
-				MANPATH=/usr/local/man:/usr/local/lib/mh/man:/usr/local/lib/rcscvs/man:/usr/local/lib/fvwm/man:/usr/local/lib/xscreensaver/man:/usr/share/man:/usr/openwin/man:/usr/opt/man
-				export MANPATH
-
-				# For Purify
-				PURIFYHOME=/usr/local-sparc-solaris/pure/purify-4.0-solaris2
-				export PURIFYHOME
-				PATH=/usr/local-sparc-solaris/pure/purify-4.0-solaris2:$PATH
-				export PATH
-				MANPATH=$PURIFYHOME/man:$MANPATH
-				export MANPATH
-				LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local-sparc-solaris/pure/purify-4.0-solaris2
-				export LD_LIBRARY_PATH
-				PURIFYOPTIONS="-max_threads=1000 -follow-child-processes=yes"
-				export PURIFYOPTIONS
-				;;
-		esac
-		;;
-
-	IRIX | IRIX64)
-		#############
-		#  SGI Irix
-		#
-
-		PATH=/share/builds/components/jdk/1.2.1/IRIX:/tools/ns/bin:/tools/contrib/bin:/usr/local/bin:/usr/sbin:/usr/bsd:/usr/bin:/bin:/etc:/usr/etc:/usr/bin/X11:.
-		export PATH
-		;;
-
-	UNIX_SV)
-		#################
-		# UNIX_SV
-		#
-
-		PATH=/usr/local/bin:/tools/ns/bin:/bin:/usr/bin:/usr/bin/X11:/X11/bin:/usr/X/bin:/usr/ucb:/usr/sbin:/sbin:/usr/ccs/bin:.
-		export PATH
-		;;
-
-	AIX)
-		#################
-		#  IBM AIX
-		#
-
-		PATH=/share/builds/components/jdk/1.2.2/AIX:/usr/ucb/:/tools/ns-arch/rs6000_ibm_aix4.1/bin:/tools/ns-arch/rs6000_ibm_aix3.2.5/bin:/share/tools/ns/soft/cvs-1.8/run/default/rs6000_ibm_aix3.2.5/bin:/bin:/usr/bin:/usr/ccs/bin:/usr/sbin:/usr/local/bin:/usr/bin/X11:/usr/etc:/etc:/sbin:.
-		export PATH
-		;;
-
-	HP-UX)
-		#################
-		# HP UX
-		#
-
-		PATH=/share/builds/components/jdk/1.1.6/HP-UX:/usr/bin:/opt/ansic/bin:/usr/ccs/bin:/usr/contrib/bin:/opt/nettladm/bin:/opt/graphics/common/bin:/usr/bin/X11:/usr/contrib/bin/X11:/opt/upgrade/bin:/opt/CC/bin:/opt/aCC/bin:/opt/langtools/bin:/opt/imake/bin:/etc:/usr/etc:/usr/local/bin:/tools/ns/bin:/tools/contrib/bin:/usr/sbin:/usr/local/bin:/tools/ns/bin:/tools/contrib/bin:/usr/sbin:/usr/include/X11R5:.
-		export PATH
-		;;
-
-	SCO_SV)
-		#################
-		# SCO
-		#
-
-		PATH=/bin:/usr/bin:/tools/ns/bin:/tools/contrib/bin:/usr/sco/bin:/usr/bin/X11:/usr/local/bin:.
-		export PATH
-		;;
-
-	FreeBSD)
-
-		#################
-		# FreeBSD
-		#
-
-		PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/java/bin:/usr/local/bin:/usr/ucb:/usr/ccs/bin:/tools/contrib/bin:/tools/ns/bin:.
-		export PATH
-		;;
-
-	OSF1)
-		#################
-		# DEC OSF1
-		#
-
-		PATH=/share/builds/components/jdk/1.2.2_3/OSF1:/tools/ns-arch/alpha_dec_osf4.0/bin:/tools/ns-arch/soft/cvs-1.8.3/run/default/alpha_dec_osf2.0/bin:/usr/local-alpha-osf/bin:/usr3/local/bin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/usr/bin/X11:/usr/ucb:.
-		export PATH
-		;;
-
-	Linux)
-
-		#################
-		# Linux
-		#
-
-		PATH=/share/builds/components/jdk/1.2.2/Linux:$PATH
-		export PATH
-		;;
-esac
-
-###############################
-# Reset any "tracked" aliases #
-###############################
-
-hash -r
diff --git a/security/coreconf/AIX.mk b/security/coreconf/AIX.mk
deleted file mode 100644
index 1f62cb0a3..000000000
--- a/security/coreconf/AIX.mk
+++ /dev/null
@@ -1,74 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for AIX.
-#
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-#
-# There are two implementation strategies available on AIX:
-# pthreads, and pthreads-user.  The default is pthreads.
-# In both strategies, we need to use pthread_user.c, instead of
-# aix.c.  The fact that aix.c is never used is somewhat strange.
-# 
-# So we need to do the following:
-# - Default (PTHREADS_USER not defined in the environment or on
-#   the command line):
-#   Set PTHREADS_USER=1, USE_PTHREADS=1
-# - PTHREADS_USER=1 set in the environment or on the command line:
-#   Do nothing.
-#
-ifeq ($(PTHREADS_USER),1)
-	USE_PTHREADS =            # just to be safe
-	IMPL_STRATEGY = _PTH_USER
-else
-	USE_PTHREADS = 1
-	PTHREADS_USER = 1
-endif
-
-DEFAULT_COMPILER = xlC_r
-
-CC		= xlC_r
-CCC		= xlC_r
-
-CPU_ARCH	= rs6000
-
-RANLIB		= ranlib
-
-OS_CFLAGS	= -DAIX -DSYSV
-ifeq ($(CC),xlC_r)
-	OS_CFLAGS += -qarch=com
-endif
-
-AIX_WRAP	= $(DIST)/lib/aixwrap.o
-AIX_TMP		= $(OBJDIR)/_aix_tmp.o
-OS_LIBS		+= -lsvld
diff --git a/security/coreconf/AIX3.2.mk b/security/coreconf/AIX3.2.mk
deleted file mode 100644
index c93a00eef..000000000
--- a/security/coreconf/AIX3.2.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for AIX3.2.5
-#
-include $(CORE_DEPTH)/coreconf/AIX.mk
diff --git a/security/coreconf/AIX4.1.mk b/security/coreconf/AIX4.1.mk
deleted file mode 100644
index ba93b4ce2..000000000
--- a/security/coreconf/AIX4.1.mk
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for AIX4.1
-#
-
-include $(CORE_DEPTH)/coreconf/AIX.mk
-
-
-AIX_LINK_OPTS  += -bnso -berok
-#AIX_LINK_OPTS += -bnso -berok -brename:.select,.wrap_select -brename:.poll,.wrap_poll -bI:/usr/lib/syscalls.exp
-
-# The AIX4.1 linker had a bug which always looked for a dynamic library
-# with an extension of .a.  AIX4.2 fixed this problem
-DLL_SUFFIX = a
-
-OS_LIBS		+= -lsvld
diff --git a/security/coreconf/AIX4.2.mk b/security/coreconf/AIX4.2.mk
deleted file mode 100644
index 8be6ee6ce..000000000
--- a/security/coreconf/AIX4.2.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-
-#
-# Config stuff for AIX4.2
-#
-
-include $(CORE_DEPTH)/coreconf/AIX.mk
-
-OS_CFLAGS	+= -DAIX4_2
-DSO_LDOPTS	= -brtl -bM:SRE -bnoentry -bexpall
-MKSHLIB		= $(LD) $(DSO_LDOPTS) -lsvld -L/usr/lpp/xlC/lib -lc -lm
-
-OS_LIBS		+= -L/usr/lpp/xlC/lib -lc -lm
-
diff --git a/security/coreconf/AIX4.3.mk b/security/coreconf/AIX4.3.mk
deleted file mode 100644
index 11ad35267..000000000
--- a/security/coreconf/AIX4.3.mk
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for AIX4.3
-#
-
-include $(CORE_DEPTH)/coreconf/AIX.mk
-
-
-ifeq ($(USE_64), 1)
-# Next line replaced by generic name handling in arch.mk
-#	COMPILER_TAG    = _64
-	OS_CFLAGS	+= -O2 -DAIX_64BIT
-	OBJECT_MODE=64
-	export OBJECT_MODE
-endif
-OS_CFLAGS	+= -DAIX4_3
-DSO_LDOPTS	= -brtl -bM:SRE -bnoentry -bexpall
-MKSHLIB		= $(LD) $(DSO_LDOPTS) -lsvld -L/usr/lpp/xlC/lib -lc -lm
-
-OS_LIBS		+= -L/usr/lpp/xlC/lib -lc -lm
-
diff --git a/security/coreconf/FreeBSD2.mk b/security/coreconf/FreeBSD2.mk
deleted file mode 100644
index 974ebe4fd..000000000
--- a/security/coreconf/FreeBSD2.mk
+++ /dev/null
@@ -1,65 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for FreeBSD2
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER	= gcc
-CC			= gcc
-CCC			= g++
-RANLIB			= ranlib
-
-OS_REL_CFLAGS		= -mno-486 -Di386
-CPU_ARCH		= x86
-
-OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -ansi -Wall -pipe -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK
-
-ifdef USE_PTHREADS
-	OS_LIBS		= -lc_r
-	DEFINES		+= -D_PR_NEED_FAKE_POLL
-else
-	OS_LIBS		= -lc
-endif
-
-ARCH			= freebsd
-
-DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -Bshareable
-DSO_LDFLAGS		=
-
-MKSHLIB			= $(LD) $(DSO_LDOPTS)
-
-G++INCLUDES		= -I/usr/include/g++
-
-INCLUDES		+= -I/usr/X11R6/include
diff --git a/security/coreconf/HP-UX.mk b/security/coreconf/HP-UX.mk
deleted file mode 100644
index 0c3d4440f..000000000
--- a/security/coreconf/HP-UX.mk
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-
-#
-# Config stuff for HP-UX
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-CPU_ARCH   = hppa
-DLL_SUFFIX = sl
-CCC        = CC
-OS_CFLAGS  += -Ae $(DSO_CFLAGS) -DHPUX -D$(CPU_ARCH) -D_HPUX_SOURCE
-
-ifeq ($(DEFAULT_IMPL_STRATEGY),_PTH)
-	USE_PTHREADS = 1
-	ifeq ($(CLASSIC_NSPR),1)
-		USE_PTHREADS =
-		IMPL_STRATEGY = _CLASSIC
-	endif
-	ifeq ($(PTHREADS_USER),1)
-		USE_PTHREADS =
-		IMPL_STRATEGY = _PTH_USER
-	endif
-endif
-
-ifdef PTHREADS_USER
-	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
-endif
-
-MKSHLIB			= $(LD) $(DSO_LDOPTS)
-
-DSO_LDOPTS		= -b
-DSO_LDFLAGS		=
-
-# +Z generates position independent code for use in shared libraries.
-DSO_CFLAGS = +Z
-
-HAVE_PURIFY		= 1
diff --git a/security/coreconf/HP-UXA.09.03.mk b/security/coreconf/HP-UXA.09.03.mk
deleted file mode 100644
index 7ac02ae2a..000000000
--- a/security/coreconf/HP-UXA.09.03.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-
-#
-# On HP-UX 9, the default (and only) implementation strategy is
-# classic nspr.
-#
-ifeq ($(OS_RELEASE),A.09.03)
-	DEFAULT_IMPL_STRATEGY	 = _CLASSIC
-endif
-
-#
-# Config stuff for HP-UXA.09.03
-#
-include $(CORE_DEPTH)/coreconf/HP-UXA.09.mk
diff --git a/security/coreconf/HP-UXA.09.07.mk b/security/coreconf/HP-UXA.09.07.mk
deleted file mode 100644
index 9fcf4c826..000000000
--- a/security/coreconf/HP-UXA.09.07.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 9, the default (and only) implementation strategy is
-# classic nspr.
-#
-ifeq ($(OS_RELEASE),A.09.07)
-	DEFAULT_IMPL_STRATEGY	 = _CLASSIC
-endif
-
-#
-# Config stuff for HP-UXA.09.07
-#
-include $(CORE_DEPTH)/coreconf/HP-UXA.09.mk
diff --git a/security/coreconf/HP-UXA.09.mk b/security/coreconf/HP-UXA.09.mk
deleted file mode 100644
index 813a16f40..000000000
--- a/security/coreconf/HP-UXA.09.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-
-#
-# Config stuff for HP-UXA.09
-#
-include $(CORE_DEPTH)/coreconf/HP-UX.mk
-
-OS_CFLAGS += -DHPUX9
diff --git a/security/coreconf/HP-UXB.10.01.mk b/security/coreconf/HP-UXB.10.01.mk
deleted file mode 100644
index 718ee1184..000000000
--- a/security/coreconf/HP-UXB.10.01.mk
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-ifeq ($(OS_RELEASE),B.10.01)
-	DEFAULT_IMPL_STRATEGY	 = _CLASSIC
-endif
-
-#
-# Config stuff for HP-UXB.10.01
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.10.mk
diff --git a/security/coreconf/HP-UXB.10.10.mk b/security/coreconf/HP-UXB.10.10.mk
deleted file mode 100644
index bb6f8cfb5..000000000
--- a/security/coreconf/HP-UXB.10.10.mk
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 10.10 and 10.20, the default implementation strategy is
-# pthreads (actually DCE threads).  Classic nspr is also available.
-#
-
-ifeq ($(OS_RELEASE),B.10.10)
-	DEFAULT_IMPL_STRATEGY 	 = _PTH
-endif
-
-#
-# Config stuff for HP-UXB.10.10
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.10.mk
-
-OS_CFLAGS += -DHPUX10_10
-
-ifeq ($(USE_PTHREADS),1)
-	OS_CFLAGS	+= -D_REENTRANT -D_PR_DCETHREADS
-endif
diff --git a/security/coreconf/HP-UXB.10.20.mk b/security/coreconf/HP-UXB.10.20.mk
deleted file mode 100644
index eeae7cd3a..000000000
--- a/security/coreconf/HP-UXB.10.20.mk
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 10.10 and 10.20, the default implementation strategy is
-# pthreads (actually DCE threads).  Classic nspr is also available.
-#
-
-ifeq ($(OS_RELEASE),B.10.20)
-	DEFAULT_IMPL_STRATEGY = _PTH
-endif
-
-#
-# Config stuff for HP-UXB.10.20
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.10.mk
-
-OS_CFLAGS		+= -DHPUX10_20
-
-ifeq ($(USE_PTHREADS),1)
-	OS_CFLAGS	+= -D_REENTRANT -D_PR_DCETHREADS
-endif
diff --git a/security/coreconf/HP-UXB.10.30.mk b/security/coreconf/HP-UXB.10.30.mk
deleted file mode 100644
index ef52d1122..000000000
--- a/security/coreconf/HP-UXB.10.30.mk
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 10.30 and 11.00, the default implementation strategy is
-# pthreads.  Classic nspr and pthreads-user are also available.
-#
-
-ifeq ($(OS_RELEASE),B.10.30)
-	DEFAULT_IMPL_STRATEGY	 = _PTH
-endif
-
-#
-# Config stuff for HP-UXB.10.30.
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.10.mk
-
-OS_CFLAGS		+= -DHPUX10_30
-
-#
-# To use the true pthread (kernel thread) library on 10.30 and
-# 11.00, we should define _POSIX_C_SOURCE to be 199506L.
-# The _REENTRANT macro is deprecated.
-#
-
-ifdef USE_PTHREADS
-	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
-endif
diff --git a/security/coreconf/HP-UXB.10.mk b/security/coreconf/HP-UXB.10.mk
deleted file mode 100644
index 77ca9bce7..000000000
--- a/security/coreconf/HP-UXB.10.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for HP-UXB.10
-#
-include $(CORE_DEPTH)/coreconf/HP-UX.mk
-
-OS_CFLAGS += -DHPUX10
-OS_LIBS   += -lpthread -lm
diff --git a/security/coreconf/HP-UXB.11.00.mk b/security/coreconf/HP-UXB.11.00.mk
deleted file mode 100644
index 0732202ae..000000000
--- a/security/coreconf/HP-UXB.11.00.mk
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 10.30 and 11.00, the default implementation strategy is
-# pthreads.  Classic nspr and pthreads-user are also available.
-#
-
-ifeq ($(OS_RELEASE),B.11.00)
-OS_CFLAGS		+= -DHPUX10
-DEFAULT_IMPL_STRATEGY = _PTH
-endif
-
-#
-# To use the true pthread (kernel thread) library on 10.30 and
-# 11.00, we should define _POSIX_C_SOURCE to be 199506L.
-# The _REENTRANT macro is deprecated.
-#
-
-ifdef USE_PTHREADS
-	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
-endif
-
-#
-# Config stuff for HP-UXB.11.00.
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.11.mk
diff --git a/security/coreconf/HP-UXB.11.mk b/security/coreconf/HP-UXB.11.mk
deleted file mode 100644
index 7b5a631f4..000000000
--- a/security/coreconf/HP-UXB.11.mk
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for HP-UXB.11
-#
-include $(CORE_DEPTH)/coreconf/HP-UX.mk
-
-ifndef NS_USE_GCC
-    CCC                 = /opt/aCC/bin/aCC -ext
-    ifeq ($(USE_64), 1)
-	OS_CFLAGS       +=  -Aa +e +DA2.0W +DS2.0 +DChpux
-# Next line replaced by generic name handling in arch.mk
-#	COMPILER_TAG    = _64
-    else
-	ifdef USE_LONG_LONGS
-	    OS_CFLAGS 	+= -Aa +e +DA2.0 +DS2.0 
-	else
-	    OS_CFLAGS   += +DAportable +DS1.1
-	endif
-    endif
-else
-    CCC = aCC
-endif
-
-OS_CFLAGS += -DHPUX11 
-OS_LIBS   += -lpthread -lm -lrt
-HPUX11	= 1
diff --git a/security/coreconf/IRIX.mk b/security/coreconf/IRIX.mk
deleted file mode 100644
index fe0f906b5..000000000
--- a/security/coreconf/IRIX.mk
+++ /dev/null
@@ -1,122 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-#
-# The default implementation strategy for Irix is classic nspr.
-#
-ifeq ($(USE_PTHREADS),1)
-	ifeq ($(USE_N32),1)
-		IMPL_STRATEGY = _n32_PTH
-	else
-		IMPL_STRATEGY = _PTH
-	endif
-endif
-
-DEFAULT_COMPILER = cc
-
-ifdef NS_USE_GCC
-	CC		= gcc
-	AS		= $(CC) -x assembler-with-cpp
-	ODD_CFLAGS	= -Wall -Wno-format
-	ifdef BUILD_OPT
-		OPTIMIZER	= -O6
-	endif
-else
-	CC	= cc
-	CCC		= CC
-	ODD_CFLAGS	= -fullwarn -xansi
-	ifdef BUILD_OPT
-		ifeq ($(USE_N32),1)
-			OPTIMIZER	= -O -OPT:Olimit=4000
-		else
-			OPTIMIZER	= -O -Olimit 4000
-		endif
-	endif
-
-	# For 6.x machines, include this flag
-	ifeq (6., $(findstring 6., $(OS_RELEASE)))
-		ifeq ($(USE_N32),1)
-			ODD_CFLAGS	+= -n32 -mips3 -exceptions
-		else
-			ODD_CFLAGS	+= -32 -multigot
-		endif
-	else
-		ODD_CFLAGS		+= -xgot
-	endif
-	ifeq ($(USE_N32),1)
-		OS_CFLAGS	+= -dollar
-	endif
-endif
-
-ODD_CFLAGS	+= -DSVR4 -DIRIX 
-
-CPU_ARCH	= mips
-
-RANLIB		= /bin/true
-# For purify
-# NOTE: should always define _SGI_MP_SOURCE
-NOMD_OS_CFLAGS += $(ODD_CFLAGS) -D_SGI_MP_SOURCE
-
-ifndef NO_MDUPDATE
-	OS_CFLAGS += $(NOMD_OS_CFLAGS) -MDupdate $(DEPENDENCIES)
-else
-	OS_CFLAGS += $(NOMD_OS_CFLAGS)
-endif
-
-ifeq ($(USE_N32),1)
-	SHLIB_LD_OPTS	+= -n32 -mips3
-endif
-
-MKSHLIB     += $(LD) $(SHLIB_LD_OPTS) -shared -soname $(@:$(OBJDIR)/%.so=%.so)
-
-HAVE_PURIFY	= 1
-
-DSO_LDOPTS	= -elf -shared -all
-
-ifdef DSO_BACKEND
-	DSO_LDOPTS += -soname $(DSO_NAME)
-endif
-
-#
-# Revision notes:
-#
-# In the IRIX compilers prior to version 7.2, -n32 implied -mips3.
-# Beginning in the 7.2 compilers, -n32 implies -mips4 when the compiler
-# is running on a system with a mips4 CPU (e.g. R8K, R10K).
-# We want our code to explicitly be mips3 code, so we now explicitly
-# set -mips3 whenever we set -n32.
-#
diff --git a/security/coreconf/IRIX5.2.mk b/security/coreconf/IRIX5.2.mk
deleted file mode 100644
index fbb4a137b..000000000
--- a/security/coreconf/IRIX5.2.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 5.2
-#
-include $(CORE_DEPTH)/coreconf/IRIX5.mk
diff --git a/security/coreconf/IRIX5.3.mk b/security/coreconf/IRIX5.3.mk
deleted file mode 100644
index b7134592b..000000000
--- a/security/coreconf/IRIX5.3.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 5.3
-#
-include $(CORE_DEPTH)/coreconf/IRIX5.mk
-
-OS_CFLAGS += -DIRIX5_3
diff --git a/security/coreconf/IRIX5.mk b/security/coreconf/IRIX5.mk
deleted file mode 100644
index 56bfb0ea5..000000000
--- a/security/coreconf/IRIX5.mk
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 5
-#
-
-include $(CORE_DEPTH)/coreconf/IRIX.mk
-
-ifndef NS_USE_GCC
-	ODD_CFLAGS += -xgot
-endif
diff --git a/security/coreconf/IRIX6.2.mk b/security/coreconf/IRIX6.2.mk
deleted file mode 100644
index e17a0c3b6..000000000
--- a/security/coreconf/IRIX6.2.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 6.2
-#
-
-
-# catch unresolved symbols
-
-SHLIB_LD_OPTS += -no_unresolved
-
-include $(CORE_DEPTH)/coreconf/IRIX6.mk
-
-OS_CFLAGS += -DIRIX6_2
diff --git a/security/coreconf/IRIX6.3.mk b/security/coreconf/IRIX6.3.mk
deleted file mode 100644
index a684a1e11..000000000
--- a/security/coreconf/IRIX6.3.mk
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 6.3
-#
-
-# catch unresolved symbols
-
-SHLIB_LD_OPTS += -no_unresolved
-
-include $(CORE_DEPTH)/coreconf/IRIX6.mk
-
-OS_CFLAGS += -DIRIX6_3
diff --git a/security/coreconf/IRIX6.5.mk b/security/coreconf/IRIX6.5.mk
deleted file mode 100644
index 7f68d82cb..000000000
--- a/security/coreconf/IRIX6.5.mk
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 6.5
-#
-
-# catch unresolved symbols
-
-SHLIB_LD_OPTS += -no_unresolved
-
-include $(CORE_DEPTH)/coreconf/IRIX6.mk
-
-OS_CFLAGS += -DIRIX6_5 -mips3
diff --git a/security/coreconf/IRIX6.mk b/security/coreconf/IRIX6.mk
deleted file mode 100644
index a401dc6f3..000000000
--- a/security/coreconf/IRIX6.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for IRIX 6
-#
-
-include $(CORE_DEPTH)/coreconf/IRIX.mk
-
-ifndef NS_USE_GCC
-	ifneq ($(USE_N32),1)
-	OS_CFLAGS  += -32
-	endif
-	ODD_CFLAGS += -multigot
-endif
-
-ifeq ($(USE_PTHREADS),1)
-OS_LIBS += -lpthread
-endif
diff --git a/security/coreconf/Linux.mk b/security/coreconf/Linux.mk
deleted file mode 100644
index 444f4b272..000000000
--- a/security/coreconf/Linux.mk
+++ /dev/null
@@ -1,97 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Linux
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-#
-# The default implementation strategy for Linux is now pthreads
-#
-USE_PTHREADS = 1
-
-ifeq ($(USE_PTHREADS),1)
-	IMPL_STRATEGY = _PTH
-endif
-
-CC			= gcc
-CCC			= g++
-RANLIB			= ranlib
-
-DEFAULT_COMPILER = gcc
-
-ifeq ($(OS_TEST),ppc)
-	OS_REL_CFLAGS	= -DMACLINUX -DLINUX1_2
-	CPU_ARCH	= ppc
-else
-ifeq ($(OS_TEST),alpha)
-        OS_REL_CFLAGS   = -D_ALPHA_ -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH	= alpha
-else
-	OS_REL_CFLAGS	= -mno-486 -DLINUX1_2 -Di386 -D_XOPEN_SOURCE
-	CPU_ARCH	= x86
-endif
-endif
-
-
-LIBC_TAG		= _glibc
-
-ifeq ($(OS_RELEASE),2.0)
-	OS_REL_CFLAGS	+= -DLINUX2_0
-	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
-	ifdef BUILD_OPT
-		OPTIMIZER	= -O2
-	endif
-endif
-
-ifeq ($(USE_PTHREADS),1)
-OS_PTHREAD = -lpthread 
-endif
-
-OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -ansi -Wall -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR
-OS_LIBS			= -L/lib $(OS_PTHREAD) -ldl -lc
-
-ifdef USE_PTHREADS
-	DEFINES		+= -D_REENTRANT -D_PR_NEED_FAKE_POLL
-else
-	DEFINES		+= -D_PR_LOCAL_THREADS_ONLY
-endif
-
-ARCH			= linux
-
-DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -shared
-DSO_LDFLAGS		=
-
-# INCLUDES += -I/usr/include -Y/usr/include/linux
-G++INCLUDES		= -I/usr/include/g++
diff --git a/security/coreconf/Linux2.1.mk b/security/coreconf/Linux2.1.mk
deleted file mode 100644
index bfbfe6b90..000000000
--- a/security/coreconf/Linux2.1.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Linux 2.1 (ELF)
-#
-
-include $(CORE_DEPTH)/coreconf/Linux.mk
-ifeq ($(OS_RELEASE),2.1)
-        OS_REL_CFLAGS   += -DLINUX2_1
-        MKSHLIB         = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
-        ifdef BUILD_OPT
-                OPTIMIZER       = -O2
-        endif
-endif
-
diff --git a/security/coreconf/Linux2.2.mk b/security/coreconf/Linux2.2.mk
deleted file mode 100644
index c552c1d76..000000000
--- a/security/coreconf/Linux2.2.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Linux 2.2 (ELF)
-#
-
-include $(CORE_DEPTH)/coreconf/Linux.mk
-
-OS_REL_CFLAGS   += -DLINUX2_1
-MKSHLIB         = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
-ifdef BUILD_OPT
-            OPTIMIZER       = -O2
-endif
-
diff --git a/security/coreconf/LinuxELF1.2.mk b/security/coreconf/LinuxELF1.2.mk
deleted file mode 100644
index 860787958..000000000
--- a/security/coreconf/LinuxELF1.2.mk
+++ /dev/null
@@ -1,36 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Linux 1.2 (ELF)
-#
-
-include $(CORE_DEPTH)/coreconf/Linux.mk
diff --git a/security/coreconf/LinuxELF2.0.mk b/security/coreconf/LinuxELF2.0.mk
deleted file mode 100644
index a85dfafa9..000000000
--- a/security/coreconf/LinuxELF2.0.mk
+++ /dev/null
@@ -1,36 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Linux 2.0 (ELF)
-#
-
-include $(CORE_DEPTH)/coreconf/Linux.mk
diff --git a/security/coreconf/Makefile b/security/coreconf/Makefile
deleted file mode 100644
index 9f6fd6078..000000000
--- a/security/coreconf/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ..
-CORE_DEPTH	= ..
-
-MODULE		= coreconf
-
-DIRS		= nsinstall mkdepend md
-
-include $(DEPTH)/coreconf/config.mk
-include $(DEPTH)/coreconf/rules.mk
-
-export:: libs
diff --git a/security/coreconf/NCR3.0.mk b/security/coreconf/NCR3.0.mk
deleted file mode 100644
index 8193bd1f5..000000000
--- a/security/coreconf/NCR3.0.mk
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for NCR SysVr4 v 3.0
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-###
-NS_USE_NATIVE = 1
-
-# NS_USE_GCC = 1
-
-export PATH:=$(PATH):/opt/ncc/bin
-###
-
-RANLIB           = true
-GCC_FLAGS_EXTRA += -pipe
-
-DEFINES		+= -DSVR4 -DSYSV -DHAVE_STRERROR -DNCR
-
-OS_CFLAGS	+= -Hnocopyr -DSVR4 -DSYSV -DHAVE_STRERROR -DNCR -DPRFSTREAMS_BROKEN
-
-ifdef NS_USE_NATIVE
-	CC       = cc
-	CCC      = ncc
-	CXX      = ncc
-#	OS_LIBS += -L/opt/ncc/lib 
-else
-#	OS_LIBS	+=
-endif
-
-#OS_LIBS    += -lsocket -lnsl -ldl -lc
-
-MKSHLIB     += $(LD) $(DSO_LDOPTS)
-#DSO_LDOPTS += -G -z defs
-DSO_LDOPTS += -G
-
-CPU_ARCH    = x86
-ARCH        = ncr
-
-NOSUCHFILE  = /solaris-rm-f-sucks
-
-# now take care of default GCC (rus@5/5/97)
- 
-ifdef NS_USE_GCC
-	# if gcc-settings are redefined already - don't touch it
-	#
-	ifeq (,$(findstring gcc, $(CC)))
-		CC   = gcc
-		CCC  = g++
-		CXX  = g++
-		# always use -fPIC - some makefiles are still broken and don't distinguish
-		# situation when they build shared and static libraries
-		CFLAGS  += -fPIC -Wall $(GCC_FLAGS_EXTRA)
-#		OS_LIBS += -L/usr/local/lib -lstdc++ -lg++ -lgcc
-	endif
-endif
-###
diff --git a/security/coreconf/NEC4.2.mk b/security/coreconf/NEC4.2.mk
deleted file mode 100644
index 8e635f1ca..000000000
--- a/security/coreconf/NEC4.2.mk
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for NEC Mips SYSV
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = $(CORE_DEPTH)/build/hcc
-
-CPU_ARCH		= mips
-
-ifdef NS_USE_GCC
-CC			= gcc
-CCC			= g++
-else
-CC			= $(CORE_DEPTH)/build/hcc
-OS_CFLAGS		= -Xa -KGnum=0 -KOlimit=4000
-CCC			= g++
-endif
-
-MKSHLIB			= $(LD) $(DSO_LDOPTS)
-
-RANLIB			= /bin/true
-
-OS_CFLAGS		+= $(ODD_CFLAGS) -DSVR4 -D__SVR4 -DNEC -Dnec_ews -DHAVE_STRERROR
-OS_LIBS			= -lsocket -lnsl -ldl $(LDOPTIONS)
-LDOPTIONS		= -lc -L/usr/ucblib -lucb
-
-NOSUCHFILE		= /nec-rm-f-sucks
-
-DSO_LDOPTS		= -G
diff --git a/security/coreconf/OS2.mk b/security/coreconf/OS2.mk
deleted file mode 100644
index c3b7c83c2..000000000
--- a/security/coreconf/OS2.mk
+++ /dev/null
@@ -1,162 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-MOZ_WIDGET_TOOLKIT = os2
-
-# Specify toolset.  Default to EMX.
-ifeq ($(MOZ_OS2_TOOLS),VACPP)
-XP_OS2_VACPP = 1
-else
-ifeq ($(MOZ_OS2_TOOLS),PGCC)
-XP_OS2_EMX   = 1
-else
-MOZ_OS2_TOOLS = EMX
-XP_OS2_EMX   = 1
-endif
-endif
-
-# XP_PC is for Window and OS2 on Intel X86
-# XP_OS2 is strictly for OS2 only
-XP_DEFINE  += -DXP_PC=1  -DXP_OS2=1
-
-# Override suffix in suffix.mk
-LIB_SUFFIX  = lib
-DLL_SUFFIX  = dll
-OBJ_SUFFIX  = .obj
-ASM_SUFFIX  = .asm
-PROG_SUFFIX = .exe
-
-
-#
-# On OS/2 we proudly support gbash...
-#
-SHELL = GBASH.EXE
-CCC			= icc -q -DXP_OS2 -DOS2=4 -N10
-LINK			= ilink
-AR                      = emxomfar -p256 r $@
-# Keep AR_FLAGS blank so that we do not have to change rules.mk
-AR_FLAGS                = 
-RANLIB 			= @echo OS2 RANLIB
-BSDECHO 		= @echo OS2 BSDECHO
-
-ifndef NO_SHARED_LIB
-WRAP_MALLOC_LIB         = 
-WRAP_MALLOC_CFLAGS      = 
-DSO_CFLAGS              = 
-DSO_PIC_CFLAGS          = 
-MKSHLIB                 = $(CXX) $(CXXFLAGS) $(DSO_LDOPTS) -o $@
-MKCSHLIB                = $(CC) $(CFLAGS) $(DSO_LDOPTS) -o $@
-MKSHLIB_FORCE_ALL       = 
-MKSHLIB_UNFORCE_ALL     = 
-DSO_LDOPTS              = -Zomf -Zdll -Zmt -Zcrtdll -Zlinker /NOO
-# DLL_SUFFIX              = .dll
-SHLIB_LDSTARTFILE	= 
-SHLIB_LDENDFILE		= 
-endif
-
-# HCT Include from Mozilla client build. 
-INCLUDES           = -I$(CORE_DEPTH)/../dist/include  -I$(CORE_DEPTH)/../include
-
-# This is where Mozilla Client build DIST & INCLUDE.
-# while DIST is where Security build put it LIB & INCLUDE
-MOZ_DIST           =  $(CORE_DEPTH)/../dist
-MOZ_LIB            =  $(CORE_DEPTH)/../dist/lib
-
-OS_CFLAGS          = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Zmtd -Zomf -Zmt  -DDEBUG -DDEBUG_wintrinh -DTRACING -g
-
-# Where the libraries are
-MOZ_COMPONENT_NSPR_LIBS=-L$(DIST)/lib $(NSPR_LIBS)
-NSPR_LIBS	= -lplds4 -lplc4 -lnspr4 
-NSPR_INCLUDE_DIR =   
-
-
-
-ifdef BUILD_OPT
-OPTIMIZER		= -O+ -Oi 
-DEFINES 		+= -UDEBUG -U_DEBUG -DNDEBUG
-DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
-OBJDIR_TAG 		= _OPT
-else
-#OPTIMIZER		= -O+ -Oi
-DEFINES 		+= -DDEBUG -D_DEBUG -DDEBUGPRINTS     #HCT Need += to avoid overidding manifest.mn 
-DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -DEBUG -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
-OBJDIR_TAG 		= _DBG
-LDFLAGS 		= -DEBUG 
-endif
-
-# OS/2 use nsinstall that is included in the toolkit.
-# since we do not wish to support and maintain 3 version of nsinstall in mozilla, nspr and nss
-
-NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-# NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
-NSINSTALL 	= nsinstall             # HCT4OS2
-INSTALL		= $(NSINSTALL)
-
-MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
-MKDEPEND        = $(MKDEPEND_DIR)/$(OBJDIR_NAME)/mkdepend
-MKDEPENDENCIES  = $(OBJDIR_NAME)/depend.mk
-
-####################################################################
-#
-# One can define the makefile variable NSDISTMODE to control
-# how files are published to the 'dist' directory.  If not
-# defined, the default is "install using relative symbolic
-# links".  The two possible values are "copy", which copies files
-# but preserves source mtime, and "absolute_symlink", which
-# installs using absolute symbolic links.  The "absolute_symlink"
-# option requires NFSPWD.
-#   - THIS IS NOT PART OF THE NEW BINARY RELEASE PLAN for 9/30/97
-#   - WE'RE KEEPING IT ONLY FOR BACKWARDS COMPATIBILITY
-####################################################################
-
-ifeq ($(NSDISTMODE),copy)
-	# copy files, but preserve source mtime
-	INSTALL  = $(NSINSTALL)
-	INSTALL += -t
-else
-	ifeq ($(NSDISTMODE),absolute_symlink)
-		# install using absolute symbolic links
-		INSTALL  = $(NSINSTALL)
-		INSTALL += -L `$(NFSPWD)`
-	else
-		# install using relative symbolic links
-		INSTALL  = $(NSINSTALL)
-		INSTALL += -R
-	endif
-endif
-
-define MAKE_OBJDIR
-if test ! -d $(@D); then rm -rf $(@D); $(NSINSTALL) -D $(@D); fi
-endef
diff --git a/security/coreconf/OSF1.mk b/security/coreconf/OSF1.mk
deleted file mode 100644
index 37484fcb9..000000000
--- a/security/coreconf/OSF1.mk
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for DEC OSF/1
-#
-
-#
-# The Bourne shell (sh) on OSF1 doesn't handle "set -e" correctly,
-# which we use to stop LOOP_OVER_DIRS submakes as soon as any
-# submake fails.  So we use the Korn shell instead.
-#
-SHELL = /usr/bin/ksh
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-CC         = cc
-OS_CFLAGS += $(NON_LD_FLAGS) -std1
-CCC        = cxx
-RANLIB     = /bin/true
-CPU_ARCH   = alpha
-
-ifdef BUILD_OPT
-	OPTIMIZER += -Olimit 4000
-endif
-
-NON_LD_FLAGS += -ieee_with_inexact
-OS_CFLAGS    += -DOSF1 -D_REENTRANT 
-
-ifeq ($(USE_PTHREADS),1)
-	OS_CFLAGS += -pthread
-endif
-
-ifeq ($(USE_IPV6),1)
-	OS_CFLAGS += -D_PR_INET6
-endif
-
-# The command to build a shared library on OSF1.
-MKSHLIB    += ld -shared -all -expect_unresolved "*"
-DSO_LDOPTS += -shared
diff --git a/security/coreconf/OSF1V2.0.mk b/security/coreconf/OSF1V2.0.mk
deleted file mode 100644
index de7dab643..000000000
--- a/security/coreconf/OSF1V2.0.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for DEC OSF/1 V2.0
-#
-include $(CORE_DEPTH)/coreconf/OSF1.mk
diff --git a/security/coreconf/OSF1V3.0.mk b/security/coreconf/OSF1V3.0.mk
deleted file mode 100644
index 623b2f971..000000000
--- a/security/coreconf/OSF1V3.0.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for DEC OSF/1 V3.0
-#
-include $(CORE_DEPTH)/coreconf/OSF1.mk
diff --git a/security/coreconf/OSF1V3.2.mk b/security/coreconf/OSF1V3.2.mk
deleted file mode 100644
index 9d584b37b..000000000
--- a/security/coreconf/OSF1V3.2.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On OSF1 V3.2, classic nspr is the default (and only) implementation
-# strategy.
-#
-
-#
-# Config stuff for DEC OSF/1 V3.2
-#
-include $(CORE_DEPTH)/coreconf/OSF1.mk
-
-ifeq ($(OS_RELEASE),V3.2)
-	OS_CFLAGS += -DOSF1V3
-endif
diff --git a/security/coreconf/OSF1V4.0.mk b/security/coreconf/OSF1V4.0.mk
deleted file mode 100644
index 164a6613a..000000000
--- a/security/coreconf/OSF1V4.0.mk
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On OSF1 V4.0, pthreads is the default implementation strategy.
-# Classic nspr is also available.
-#
-ifneq ($(OS_RELEASE),V3.2)
-	USE_PTHREADS = 1
-	ifeq ($(CLASSIC_NSPR), 1)
-		USE_PTHREADS =
-		IMPL_STRATEGY := _CLASSIC
-	endif
-endif
-
-#
-# Config stuff for DEC OSF/1 V4.0
-#
-include $(CORE_DEPTH)/coreconf/OSF1.mk
-
-ifeq ($(OS_RELEASE),V4.0)
-	OS_CFLAGS += -DOSF1V4
-endif
diff --git a/security/coreconf/OSF1V4.0B.mk b/security/coreconf/OSF1V4.0B.mk
deleted file mode 100644
index 73f357d17..000000000
--- a/security/coreconf/OSF1V4.0B.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for DEC OSF/1 V4.0B
-#
-include $(CORE_DEPTH)/coreconf/OSF1V4.0.mk
diff --git a/security/coreconf/OSF1V4.0D.mk b/security/coreconf/OSF1V4.0D.mk
deleted file mode 100644
index 515c76d5f..000000000
--- a/security/coreconf/OSF1V4.0D.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for DEC OSF/1 V4.0D
-#
-include $(CORE_DEPTH)/coreconf/OSF1V4.0.mk
-DEFINES	+= -DOSF1V4D
-
-OS_LIBS += -lpthread -lrt
-
diff --git a/security/coreconf/README b/security/coreconf/README
deleted file mode 100644
index f769ee56d..000000000
--- a/security/coreconf/README
+++ /dev/null
@@ -1,568 +0,0 @@
-OVERVIEW of "ns/coreconf":
-
-    This README file is an attempt to provide the reader with a simple
-    synopsis of the "ns/coreconf" build system which was originally
-    fundamentally designed and built to accomodate Netscape's binary
-    release model.  Wherever possible, an attempt has been made to
-    comply with the NSPR 2.0 build system, including mimicing the
-    compiler/linker flags, and directory naming structure.  The reader
-    should keep in mind that the system builds binary releases of
-    header files, class files, libraries, and executables on numerous
-    flavors of UNIX and Windows operating systems.  Unfortunately,
-    no serious attempt has ever been made to incorporate an ability to
-    generate cross-platform binaries on an Apple MacIntosh platform.
-
-    Note that this file will not attempt to redefine or document the
-    architecture of this system.  However, documents on this subject
-    are available at the following URL:
-
-        http://warp/hardcore/prj-ttools/specs/release/index.html
-
-
-
-DEPENDENCIES of "ns/coreconf":
-
-    The "ns/coreconf" build system requires the specified versions of
-    the following platform-dependent tools:
-
-        UNIX Platforms:
-        --------------
-        gmake (version 3.74 or later)
-        perl 4.0 (NOTE:  perl 5.003 or later recommended)
-        uname
-
-        Windows Platforms:
-        -----------------
-        gmake 3.74 (must use hacked Netscape version)
-        shmsdos.exe (contained in Netscape gmake.exe)
-        nsinstall.exe (contained in Netscape gmake.exe)
-        perl.exe (version 4.0 for everything except testing;
-                  NOTE:  MKS toolkit perl 5.002 is broken)
-        perl5.exe (for testing;
-                   NOTE:  perl 5.003 or later recommended;
-                          MKS toolkit perl 5.002 is broken)
-        uname.exe (use nstools version)
-
-ENHANCEMENTS to "ns/coreconf":
-
-    With the advent of Certificate Server 4.0 using the ns/coreconf
-    build system, several changes had to be made to enhance
-    ns/coreconf support for building Java/JNI classes/programs, as
-    well as libraries slated to be released as binaries.  While the
-    following may not represent an exhaustive list of these changes,
-    it does attempt to be at least somewhat comprehensive:
-
-        (1) During the course of these enhancements, a total of
-            four files have been modified, and four new files have
-            been added.
-
-            The following files have been modified:
-
-                - command.mk:    removed old definition of JAR
-
-                - config.mk:     added include statement of new
-                                 "jdk.mk" file
-
-                - ruleset.mk:    allowed the $(MKPROG) variable to be
-                                 overridden by supplying it with a
-                                 default value of $(CC); augmented
-                                 numerous definitions to enhance
-                                 ability of ns/coreconf to produce
-                                 a more robust set of libraries;
-                                 added some JNI definitions; PACKAGE
-                                 definition may be overridden by new
-                                 "jdk.mk" file
-
-                - rules.mk:      separated the compile phase of a
-                                 program from the link phase of a
-                                 program such that a developer can
-                                 now strictly override program linkage
-                                 by simply supplying a $(MKPROG)
-                                 variable; augmented NETLIBDEPTH
-                                 to use CORE_DEPTH but retain backward
-                                 compatibility; added JNI section;
-                                 modified .PRECIOUS rule;
-
-            The following files have been added:
-
-                - README:        this file; an ASCII-based text
-                                 document used to summarize the
-                                 ns/coreconf build system and
-                                 suitable (paginated) for printing
-
-                - jdk.mk:        a file comprising most (if not all)
-                                 of the default Java related build
-                                 information; the definitions in this
-                                 file are only included if NS_USE_JDK
-                                 has been defined
-
-                - jniregen.pl:   a perl script used to create a
-                                 dependency for when JNI files should
-                                 be regenerated (based upon any change
-                                 to the ".class" file from which the
-                                 ".h" file was originally generated)
-
-                - outofdate.pl:  a perl script used to create a
-                                 dependency for when ".class" files
-                                 should be regenerated (based upon
-                                 any change to the ".java" file
-                                 from which the ".class" file was
-                                 originally generated)
-
-        (2) As stated above, the ns/coreconf build system now separates
-            the link phase of a program from its compilation phase.
-            While ns/coreconf still works exactly as it used to because
-            the $(MKPROG) variable is assigned $(CC) by default, a developer
-            may now override this behavior by simply supplying their
-            own unique value for $(MKPROG) on every platform.  This allows
-            a program compiled with $(CC) to link with external libraries
-            that may contain "C++" linkage.  Before this change, a
-            programmer would need to reference their own local copy of
-            rules.mk (see the ns/sectools/cmd/pk12util program for
-            an example of how this used to be accomplished).
-
-        (3) Currently, the ns/coreconf build system differs from the
-            NSPR 2.0 build system which utilizes an "_s" to denote
-            static libraries from import libraries.  In fact, the
-            ns/coreconf build system adds no prefixes or suffixes to
-            distinguish one version of static libraries from another.
-            Note that both the ns/coreconf build system as well as the
-            NSPR 2.0 build system do nothing to provide a method of
-            distinguishing 16-bit from 32-bit static libraries on the
-            same machine, either, since:
-
-                a) this might only provide difficulty during
-                   development, since static libraries always
-                   need to be embedded within a program
-                   (note this is highly unlikely, since libraries
-                    for different platforms are subdivided via
-                    a well-known subdirectory structure, and
-                    a developer may use multiple trees for
-                    development),
-
-                b) this maintains backwards compatibility,
-                   something very important since no legacy
-                   programs will need to change their link phase, and
-
-                c) Netscape as a company has dropped any plans
-                   of future development of 16-bit products.
-
-        (4) Since several members of the Hardcore Security group did
-            not favor NSPR 2.0's solution of adding an "_s" to static
-            libraries on Windows platforms as a method to distinguish
-            them from their import library cousins, a different solution
-            was proposed and has been recently implemented for ns/coreconf:
-
-                - a 16 has been added as a suffix to both dynamic and
-                  import libraries built on 16-bit Windows platforms
-
-                - a 32 has been added as a suffix to both dynamic and
-                  import libraries built on 32-bit Windows platforms
-
-            Since, the HCL release process currently only contains a
-            single instance of building a dynamic library,
-            ns/security/lib/fortcrypt/fort12.dll, the impact of this
-            change should be relatively small.
-
-            It should be noted that although this would additionally
-            limit the 8.3 namespace on 16-bit platforms, it is highly
-            unlikely that any future development will be performed on
-            this platform.
-
-        (5) The $(LIBRARY_VERSION) tag has been added to all non-static
-            libraries created on UNIX operating systems to alleviate
-            any future confusion for binary releases which utilize this
-            tag.  Again, it should be noted that this tag is only
-            utilized on non-static libraries, since more than one
-            version of the library may need to exist simultaneously
-            if multiple products are utilized.
-
-            Currently, only one HCL released library utilizes this tag:
-
-                ns/security/lib/fortcrypt/fort12.a
-                (e. g. - in this library, the tag has been set to '12')
-
-            Again, it should be noted that although this would
-            additionally limit the 8.3 namespace on 16-bit platforms,
-            it is highly unlikely that any future development will be
-            performed on this platform.
-
-        (6) The $(JDK_DEBUG_SUFFIX) extension has been added to all
-            library and program names to support debug versions of
-            Java programs (e. g. - java_g, javac_g, etc).
-
-            Once again, it should be noted that although this would
-            additionally limit the 8.3 namespace on 16-bit platforms,
-            it is highly unlikely that any future Java development
-            will be performed on this platform.
-
-        (7) Most (if not all) default definitions for java have been
-            encapsulated within their own file, jdk.mk, which is
-            always included by default in ns/coreconf/config.mk.
-            However, the definitions within this file are only ever
-            activated if NS_USE_JDK has been set to be 1.
-
-
-        (8) Two perl scripts (jniregen.pl and outofdate.pl) have been
-            added to the system to foster a more robust development
-            environment for composing Java and JNI programs
-            utilizing the ns/coreconf build system.  Both of these
-            perl scripts are related to resolving dependencies which
-            can not be accomplished through normal makefile dependencies.
-
-        (9) This file, README, was created in an attempt to allow
-            developers who have familiarity with ns/coreconf a simple
-            roadmap for what has changed, as well as a top-level view of
-            what comprises ns/coreconf.  This file was written in
-            ASCII (rather than HTML) primarily to promote simple
-            paginated printing.
-
-OVERVIEW of "config.mk":
-
-    This file contains the configuration information necessary to
-    build each "Core Components" source module:
-
-        include file name       Purpose
-        ===================     =======================================
-        arch.mk                 source and release <architecture> tags
-
-        command.mk              default command macros 
-				(NOTE: may be overridden in $(OS_CONFIG).mk)
-
-        $(OS_CONFIG).mk         <architecture>-specific macros
-                                (dependent upon <architecture> tags)
-
-        platform.mk             source and release <platform> tags 
-				(dependent upon <architecture> tags)
-
-        tree.mk                 release <tree> tags 
-				(dependent upon <architecture> tags)
-
-        module.mk               source and release <component> tags 
-				(NOTE:  A component is also called a module 
-				or a subsystem.  This file is dependent upon
-                                $(MODULE) being defined on the command
-                                line, as an environment variable, or in
-                                individual makefiles, or more
-                                appropriately, manifest.mn)
-
-        version.mk              release <version> tags 
-				(dependent upon $(MODULE) being defined on 
-				the command line, as an environment variable, 
-				or in individual makefiles, or more
-                                appropriately, manifest.mn)
-
-        location.mk             macros to figure out binary code location
-                                (dependent upon <platform> tags)
-
-        source.mk               <component>-specific source path
-                                (dependent upon <user_source_tree>,
-                                <source_component>, <version>, and
-                                <platform> tags)
-
-        headers.mk              include switch for support header files 
-				(dependent upon <tree>, <component>, <version>,
-                                and <platform> tags)
-
-        prefix.mk               compute program prefixes
-
-        suffix.mk               compute program suffixes 
-				(dependent upon <architecture> tags)
-
-        jdk.mk                  define JDK 
-				(dependent upon <architecture>,
-                                <source>, and <suffix> tags)
-
-        ruleset.mk              Master "Core Components" rule set
-                                (should always be the last file
-                                included by config.mk)
-
-
-
-OVERVIEW of "rules.mk":
-
-    The "rules.mk" file consists of four sections.  The first section
-    contains the "master" build rules for all binary releases.  While
-    this section can (and should) largely be thought of as "language"
-    independent, it does utilize the "perl" scripting language to
-    perform both the "import" and "release" of binary modules.
-
-    The rules which dwell in this section and their purpose:
-
-
-        CATEGORY/rule::         Purpose
-        ===================     =======================================
-
-        GENERAL
-        -------
-        all::                   "default" all-encompassing rule which
-                                performs "export libs program install"
-
-        export::                recursively copy specified
-                                cross-platform header files to the
-                                $(SOURCE_XPHEADERS_DIR) directory;
-                                recursively copy specified
-                                machine-dependent header files to the
-                                $(SOURCE_MDHEADERS_DIR) directory;
-                                although all rules can be written to
-                                repetively "chain" into other sections,
-                                this rule is the most commonly used
-                                rule to "chain" into other sections
-                                such as Java providing a simple
-                                mechanism which allows no need for
-                                developers to memorize specialized
-                                rules
-
-        libs::                  recursively build
-                                static (archival) $(LIBRARY), shared
-                                (dynamic link) $(SHARED_LIBRARY),
-                                import $(IMPORT_LIBRARY), and/or
-                                "purified" $(PURE_LIBRARY)
-                                libraries
-
-        program::               recursively build $(PROGRAM)
-                                executable
-
-        install::               recursively copy all libraries to
-                                $(SOURCE_LIB_DIR) directory;
-                                recursively copy all executables to
-                                $(SOURCE_BIN_DIR) directory
-
-        clean::                 remove all files specified in the
-                                $(ALL_TRASH) variable
-
-        clobber::               synonym for "clean::" rule
-
-        realclean::             remove all files specified by
-                                $(wildcard *.OBJ), dist, and in
-                                the $(ALL_TRASH) variable
-
-        clobber_all::           synonym for "realclean::" rule
-
-        private_export::        recursively copy specified
-                                cross-platform header files to the
-                                $(SOURCE_XPPRIVATE_DIR) directory
-
-
-        IMPORT
-        ------
-        import::                uses perl script to retrieve specified
-                                VERSION of the binary release from
-                                $(RELEASE_TREE)
-
-        RELEASE
-        -------
-        release_clean::         remove all files from the
-                                $(SOURCE_RELEASE_PREFIX) directory
-
-        release::               place specified VERSION of the
-                                binary release in the appropriate
-                                $(RELEASE_TREE) directory
-
-        release_export::        recursively copy specified
-                                cross-platform header files to the
-                                $(SOURCE_XPHEADERS_DIR)/include
-                                directory
-
-        release_md::            recursively copy all libraries to
-                                $(SOURCE_RELEASE_PREFIX)/
-                                $(SOURCE_RELEASE_LIB_DIR) directory;
-                                recursively copy all executables to
-                                $(SOURCE_RELEASE_PREFIX)/
-                                $(SOURCE_RELEASE_BIN_DIR) directory
-
-        release_jars::          use perl script to package appropriate
-                                files in the $(XPCLASS_JAR),
-                                $(XPHEADER_JAR), $(MDHEADER_JAR), and
-                                $(MDBINARY_JAR) jar files
-
-        release_cpdistdir::     use perl script to copy the
-                                $(XPCLASS_JAR), $(XPHEADER_JAR),
-                                $(MDHEADER_JAR), and $(MDBINARY_JAR)
-                                jar files to the specified VERSION
-                                of the $(RELEASE_TREE) directory
-
-
-
-        TOOLS and AUTOMATION
-        --------------------
-        platform::              tool used to display the platform name
-                                as composed within the "arch.mk" file
-
-        autobuild::             automation rule used by "Bonsai" and
-                                "Tinderbox" to automatically generate
-                                binary releases on various platforms
-
-        tests::                 automation tool used to run the
-                                "regress" and "reporter" tools 
-                                on various regression test suites
-
-    The second section of "rules.mk" primarily contains several
-    "language" dependent build rules for binary releases.  These are
-    generally "computed" rules (created on the "fly"), and include
-    rules used by "C", "C++", assembly, the preprocessor, perl, and
-    the shell.
-
-    The rules which dwell in this section and their purpose:
-
-
-        CATEGORY/rule::                   Purpose
-        ===================               =============================
-
-        LIBRARIES
-        ---------
-        $(LIBRARY):                       build the static library
-                                          specified by the $(LIBRARY)
-                                          variable
-
-        $(IMPORT_LIBRARY):                build the import library
-                                          specified by the
-                                          $(IMPORT_LIBRARY) variable
-
-        $(SHARED_LIBRARY):                build the shared
-                                          (dynamic link) library
-                                          specified by the
-                                          $(SHARED_LIBRARY) variable
-
-        $(PURE_LIBRARY):                  build the "purified" library
-                                          specified by the
-                                          $(PURE_LIBRARY) variable
-
-
-        PROGRAMS
-        --------
-        $(PROGRAM):                       build the binary executable
-                                          specified by the $(PROGRAM)
-                                          rule
-
-        $(OBJDIR)/
-        $(PROG_PREFIX)%.pure:             build the "purified" binary
-                                          executable specified by this
-                                          rule
-
-
-        OBJECTS
-        -------
-        $(OBJDIR)/
-        $(PROG_PREFIX)%$(OBJ_SUFFIX):     build the object file
-                                          associated with the
-                                          makefile rule dependency:
-
-                                              %.c   = C file
-                                              %.cpp = C++ file
-                                              %.cc  = C++ file
-                                              %.s   = assembly file
-                                              %.S   = assembly file
-
-        $(OBJDIR)/
-        $(PROG_PREFIX)%:                  (NOTE: deprecated rule)
-                                          build the object file
-                                          associated with the
-                                          makefile rule dependency:
-
-                                              %.cpp = C++ file
-
-        MISCELLANEOUS
-        -------------
-        $(DIRS)::                         specifies a helper method
-                                          used by $(LOOP_THROUGH_DIRS)
-                                          to recursively change
-                                          directories and invoke
-                                          $(MAKE)
-
-        %.i:                              build the preprocessor file
-                                          associated with the
-                                          makefile rule dependency:
-
-                                              %.c   = C file
-                                              %.cpp = C++ file
-
-        %:                                process the specified file
-                                          using the method associated
-                                          with the makefile rule
-                                          dependency:
-
-                                              %.pl = perl script
-                                              %.sh = shell script
-
-        alltags:                          tool used to recursively
-                                          create a "ctags"-style
-                                          file for reference
-
-    The third section of "rules.mk' primarily contains several JAVA
-    "language" build rules for binary releases.  These are also
-    generally "computed" rules (created on the "fly").
-
-    The rules which dwell in this section and their purpose:
-
-
-        CATEGORY/rule::                   Purpose
-        ===================               =============================
-        $(JAVA_DESTPATH)::                create directory specified
-                                          as the Java destination path
-                                          for where classes are
-                                          deposited
-
-        $(JAVA_DESTPATH)/$(PACKAGE)::     create directories specified
-                                          within the $(PACKAGE)
-                                          variable
-
-        $(JMCSRCDIR)::                    create directory specified
-                                          as the JMC destination path
-
-        $(JRI_HEADER_CFILES):             used to generate/regenerate
-                                          JRI header files for "C"
-
-        $(JRI_STUB_CFILES):               used to generate/regenerate
-                                          JRI stub files for "C"
-
-        $(JNI_HEADERS):                   used to generate/regenerate
-                                          JNI header files for "C"
-
-    The fourth section of "rules.mk" primarily contains miscellaneous
-    build rules for binary releases.  Many of these rules are here to
-    create new subdirectories, manage dependencies, and/or override
-    standard gmake "Makefile" rules.
-
-    The rules which dwell in this section and their purpose:
-
-
-        CATEGORY/rule::                   Purpose
-        ===================               =============================
-
-        $(PUBLIC_EXPORT_DIR)::            create directory used to
-                                          house public "C" header files
-
-        $(PRIVATE_EXPORT_DIR)::           create directory used to
-                                          house private "C" header
-                                          files
-
-        $(SOURCE_XP_DIR)/
-        release/include::                 create directory used to
-                                          house "C" header files
-                                          contained in a release
-
-        $(MKDEPENDENCIES)::               for UNIX systems, create
-                                          a directory used to house
-                                          dependencies and utilize
-                                          the $(MKDEPEND) rule to
-                                          create them
-
-        $(MKDEPEND)::                     cd to the dependency
-                                          directory and create them
-
-        depend::                          if $(OBJS) exist, perform the
-                                          $(MKDEPEND) rule followed by
-                                          the $(MKDEPENDENCIES) rule
-
-        dependclean::                     remove all files contained
-                                          in the dependency repository
-
-        .DEFAULT:                         standard gmake rule
-
-        .SUFFIXES:                        standard gmake rule
-
-        .PRECIOUS:                        standard gmake rule
-
-        .PHONY:                           standard gmake rule
-
diff --git a/security/coreconf/ReliantUNIX.mk b/security/coreconf/ReliantUNIX.mk
deleted file mode 100644
index 476dcabc1..000000000
--- a/security/coreconf/ReliantUNIX.mk
+++ /dev/null
@@ -1,84 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for ReliantUNIX
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-ifdef NS_USE_GCC
-	## gcc-2.7.2 homebrewn
-	CC          = gcc
-	CCC         = g++
-	AS          = $(CC)
-	ASFLAGS     += -x assembler-with-cpp
-	LD          = gld
-	ODD_CFLAGS  = -pipe -Wall -Wno-format
-	ifdef BUILD_OPT
-		OPTIMIZER += -O6
-	endif
-	MKSHLIB     = $(LD)
-	MKSHLIB    += -G -h $(@:$(OBJDIR)/%.so=%.so)
-	DSO_LDOPTS += -G -Xlinker -Blargedynsym
-else
-	## native compiler (CDS++ 1.0)
-#	CC   = /usr/bin/cc
-	CC   = cc
-	CCC  = /usr/bin/CC
-	AS   = /usr/bin/cc
-	ODD_CFLAGS  = 
-	ifdef BUILD_OPT
-		OPTIMIZER += -O -F Olimit,4000
-	endif
-	MKSHLIB     = $(CC)
-	MKSHLIB    += -G -h $(@:$(OBJDIR)/%.so=%.so)
-	DSO_LDOPTS += -G -W l,-Blargedynsym
-endif
-
-NOSUCHFILE  = /sni-rm-f-sucks
-ODD_CFLAGS += -DSVR4 -DSNI -DRELIANTUNIX
-CPU_ARCH    = mips
-RANLIB      = /bin/true
-
-# For purify
-NOMD_OS_CFLAGS += $(ODD_CFLAGS)
-
-# we do not have -MDupdate ...
-OS_CFLAGS   += $(NOMD_OS_CFLAGS)
-OS_LIBS     += -lsocket -lnsl -lresolv -lgen -ldl -lc /usr/ucblib/libucb.a
-HAVE_PURIFY  = 0
-
-ifdef DSO_BACKEND
-	DSO_LDOPTS += -h $(DSO_NAME)
-endif
diff --git a/security/coreconf/ReliantUNIX5.4.mk b/security/coreconf/ReliantUNIX5.4.mk
deleted file mode 100644
index a5bca60a3..000000000
--- a/security/coreconf/ReliantUNIX5.4.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for ReliantUNIX5.4
-#
-include $(CORE_DEPTH)/coreconf/ReliantUNIX.mk
diff --git a/security/coreconf/SCOOS5.0.mk b/security/coreconf/SCOOS5.0.mk
deleted file mode 100644
index b3370a1fd..000000000
--- a/security/coreconf/SCOOS5.0.mk
+++ /dev/null
@@ -1,36 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SCO OpenServer 5.0 for x86.
-#
-
-include $(CORE_DEPTH)/coreconf/SCO_SV3.2.mk
diff --git a/security/coreconf/SCO_SV3.2.mk b/security/coreconf/SCO_SV3.2.mk
deleted file mode 100644
index e9d13b30c..000000000
--- a/security/coreconf/SCO_SV3.2.mk
+++ /dev/null
@@ -1,86 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SCO Unix for x86.
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-CC         = cc
-OS_CFLAGS += -b elf -KPIC
-CCC        = g++
-CCC       += -b elf -DPRFSTREAMS_BROKEN -I/usr/local/lib/g++-include
-# CCC      = $(CORE_DEPTH)/build/hcpp
-# CCC     += +.cpp +w
-RANLIB     = /bin/true
-
-#
-# -DSCO_PM - Policy Manager AKA: SCO Licensing
-# -DSCO - Changes to Netscape source (consistent with AIX, LINUX, etc..)
-# -Dsco - Needed for /usr/include/X11/*
-#
-OS_CFLAGS   += -DSCO_SV -DSYSV -D_SVID3 -DHAVE_STRERROR -DSW_THREADS -DSCO_PM -DSCO -Dsco
-#OS_LIBS     += -lpmapi -lsocket -lc
-MKSHLIB      = $(LD)
-MKSHLIB     += $(DSO_LDOPTS)
-XINC         = /usr/include/X11
-MOTIFLIB    += -lXm
-INCLUDES    += -I$(XINC)
-CPU_ARCH     = x86
-GFX_ARCH     = x
-ARCH         = sco
-LOCALE_MAP   = $(CORE_DEPTH)/cmd/xfe/intl/sco.lm
-EN_LOCALE    = C
-DE_LOCALE    = de_DE.ISO8859-1
-FR_LOCALE    = fr_FR.ISO8859-1
-JP_LOCALE    = ja
-SJIS_LOCALE  = ja_JP.SJIS
-KR_LOCALE    = ko_KR.EUC
-CN_LOCALE    = zh
-TW_LOCALE    = zh
-I2_LOCALE    = i2
-LOC_LIB_DIR  = /usr/lib/X11
-NOSUCHFILE   = /solaris-rm-f-sucks
-BSDECHO      = /bin/echo
-
-#
-# These defines are for building unix plugins
-#
-BUILD_UNIX_PLUGINS  = 1
-#DSO_LDOPTS         += -b elf -G -z defs
-DSO_LDOPTS         += -b elf -G
-DSO_LDFLAGS        += -nostdlib -L/lib -L/usr/lib -lXm -lXt -lX11 -lgen
-
-# Used for Java compiler
-EXPORT_FLAGS += -W l,-Bexport
diff --git a/security/coreconf/SunOS4.1.3_U1.mk b/security/coreconf/SunOS4.1.3_U1.mk
deleted file mode 100644
index 94be22508..000000000
--- a/security/coreconf/SunOS4.1.3_U1.mk
+++ /dev/null
@@ -1,59 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS4.1
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-INCLUDES += -I/usr/dt/include -I/usr/openwin/include -I/home/motif/usr/include
-
-# SunOS 4 _requires_ that shared libs have a version number.
-# XXX FIXME: Version number should use NSPR_VERSION_NUMBER?
-DLL_SUFFIX = so.1.0
-CC         = gcc
-RANLIB     = ranlib
-CPU_ARCH   = sparc
-
-# Purify doesn't like -MDupdate
-NOMD_OS_CFLAGS += -Wall -Wno-format -DSUNOS4
-OS_CFLAGS      += $(DSO_CFLAGS) $(NOMD_OS_CFLAGS) -MDupdate $(DEPENDENCIES)
-MKSHLIB         = $(LD)
-MKSHLIB        += $(DSO_LDOPTS)
-HAVE_PURIFY     = 1
-NOSUCHFILE      = /solaris-rm-f-sucks
-DSO_LDOPTS      =
-
-# -fPIC generates position-independent code for use in a shared library.
-DSO_CFLAGS += -fPIC
diff --git a/security/coreconf/SunOS5.3.mk b/security/coreconf/SunOS5.3.mk
deleted file mode 100644
index e103d9f57..000000000
--- a/security/coreconf/SunOS5.3.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.3
-#
-
-SOL_CFLAGS =
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
diff --git a/security/coreconf/SunOS5.4.mk b/security/coreconf/SunOS5.4.mk
deleted file mode 100644
index fe24c33e0..000000000
--- a/security/coreconf/SunOS5.4.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.4
-#
-
-SOL_CFLAGS =
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
diff --git a/security/coreconf/SunOS5.4_i86pc.mk b/security/coreconf/SunOS5.4_i86pc.mk
deleted file mode 100644
index bed9893ed..000000000
--- a/security/coreconf/SunOS5.4_i86pc.mk
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Solaris 2.4 on x86
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-ifdef NS_USE_GCC
-	CC		= gcc
-	OS_CFLAGS	+= -Wall -Wno-format
-	CCC		= g++
-	CCC		+= -Wall -Wno-format
-	ASFLAGS		+= -x assembler-with-cpp
-	ifdef NO_MDUPDATE
-		OS_CFLAGS += $(NOMD_OS_CFLAGS)
-	else
-		OS_CFLAGS += $(NOMD_OS_CFLAGS) -MDupdate $(DEPENDENCIES)
-	endif
-else
-	CC		= cc
-	CCC		= CC
-	ASFLAGS		+= -Wa,-P
-	OS_CFLAGS	+= $(NOMD_OS_CFLAGS)
-endif
-
-CPU_ARCH	= x86
-
-MKSHLIB		= $(LD)
-MKSHLIB		+= $(DSO_LDOPTS)
-NOSUCHFILE	= /solx86-rm-f-sucks
-RANLIB		= echo
-
-# for purify
-NOMD_OS_CFLAGS	+= -DSVR4 -DSYSV -D_REENTRANT -DSOLARIS -D__svr4__ -Di386
-
-DSO_LDOPTS	+= -G
diff --git a/security/coreconf/SunOS5.5.1.mk b/security/coreconf/SunOS5.5.1.mk
deleted file mode 100644
index f85932b59..000000000
--- a/security/coreconf/SunOS5.5.1.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.5.1
-#
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.5.1)
-	OS_DEFINES += -DSOLARIS2_5
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
diff --git a/security/coreconf/SunOS5.5.mk b/security/coreconf/SunOS5.5.mk
deleted file mode 100644
index e83356f15..000000000
--- a/security/coreconf/SunOS5.5.mk
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.5
-#
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.5)
-	OS_DEFINES += -DSOLARIS2_5
-endif
diff --git a/security/coreconf/SunOS5.6.mk b/security/coreconf/SunOS5.6.mk
deleted file mode 100644
index 774d2b7a6..000000000
--- a/security/coreconf/SunOS5.6.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.6
-#
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.6)
-	OS_DEFINES += -DSOLARIS2_6
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
diff --git a/security/coreconf/SunOS5.6_i86pc.mk b/security/coreconf/SunOS5.6_i86pc.mk
deleted file mode 100644
index 286ff3505..000000000
--- a/security/coreconf/SunOS5.6_i86pc.mk
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for Solaris 2.6 on x86
-# 
-
-SOL_CFLAGS	= -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.6_i86pc)
-	OS_DEFINES += -DSOLARIS2_6
-endif
diff --git a/security/coreconf/SunOS5.7.mk b/security/coreconf/SunOS5.7.mk
deleted file mode 100644
index dd676e2a9..000000000
--- a/security/coreconf/SunOS5.7.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.7
-#
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.7)
-	OS_DEFINES += -DSOLARIS2_7
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
diff --git a/security/coreconf/SunOS5.8.mk b/security/coreconf/SunOS5.8.mk
deleted file mode 100644
index 95fc01090..000000000
--- a/security/coreconf/SunOS5.8.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.8
-#
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.8)
-	OS_DEFINES += -DSOLARIS2_8
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
diff --git a/security/coreconf/SunOS5.mk b/security/coreconf/SunOS5.mk
deleted file mode 100644
index 388679d1c..000000000
--- a/security/coreconf/SunOS5.mk
+++ /dev/null
@@ -1,133 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for SunOS5.x
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-ifeq ($(USE_64), 1)
-	ARCHFLAG=-xarch=v9
-	LD=/usr/ccs/bin/ld
-else
-	ARCHFLAG=-xarch=v8
-endif
-
-#
-# Temporary define for the Client; to be removed when binary release is used
-#
-ifdef MOZILLA_CLIENT
-	LOCAL_THREADS_ONLY = 1
-	ifndef NS_USE_NATIVE
-		NS_USE_GCC = 1
-	endif
-endif
-
-#
-# The default implementation strategy for Solaris is classic nspr.
-#
-ifeq ($(USE_PTHREADS),1)
-	IMPL_STRATEGY = _PTH
-else
-	ifeq ($(LOCAL_THREADS_ONLY),1)
-		IMPL_STRATEGY = _LOCAL
-		DEFINES += -D_PR_LOCAL_THREADS_ONLY
-	else
-		DEFINES += -D_PR_GLOBAL_THREADS_ONLY
-	endif
-endif
-
-#
-# Temporary define for the Client; to be removed when binary release is used
-#
-ifdef MOZILLA_CLIENT
-	IMPL_STRATEGY =
-endif
-
-DEFAULT_COMPILER = cc
-
-ifdef NS_USE_GCC
-	CC         = gcc
-	OS_CFLAGS += -Wall -Wno-format
-	CCC        = g++
-	CCC       += -Wall -Wno-format
-	ASFLAGS	  += -x assembler-with-cpp
-	ifdef NO_MDUPDATE
-		OS_CFLAGS += $(NOMD_OS_CFLAGS)
-	else
-		OS_CFLAGS += $(NOMD_OS_CFLAGS) -MDupdate $(DEPENDENCIES)
-	endif
-else
-	CC         = cc
-	CCC        = CC
-	ASFLAGS   += -Wa,-P
-	OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG)
-	ifndef BUILD_OPT
-		OS_CFLAGS  += -xs
-#	else
-#		OPTIMIZER += -fast
-	endif
-
-endif
-
-INCLUDES   += -I/usr/dt/include -I/usr/openwin/include
-
-RANLIB      = echo
-CPU_ARCH    = sparc
-OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS
-
-ifneq ($(LOCAL_THREADS_ONLY),1)
-	OS_DEFINES		+= -D_REENTRANT
-endif
-
-# Purify doesn't like -MDupdate
-NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
-
-MKSHLIB  = $(LD)
-MKSHLIB += $(DSO_LDOPTS)
-
-# ld options:
-# -G: produce a shared object
-# -z defs: no unresolved symbols allowed
-DSO_LDOPTS += -G
-
-# -KPIC generates position independent code for use in shared libraries.
-# (Similarly for -fPIC in case of gcc.)
-ifdef NS_USE_GCC
-	DSO_CFLAGS += -fPIC
-else
-	DSO_CFLAGS += -KPIC
-endif
-
-HAVE_PURIFY  = 1
-NOSUCHFILE   = /solaris-rm-f-sucks
-
diff --git a/security/coreconf/UNIX.mk b/security/coreconf/UNIX.mk
deleted file mode 100644
index cbeac85fd..000000000
--- a/security/coreconf/UNIX.mk
+++ /dev/null
@@ -1,87 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-XP_DEFINE  += -DXP_UNIX
-LIB_SUFFIX  = a
-DLL_SUFFIX  = so
-AR          = ar
-AR         += cr $@
-LDOPTS     += -L$(SOURCE_LIB_DIR)
-
-ifdef BUILD_OPT
-	OPTIMIZER  += -O
-	DEFINES    += -UDEBUG -DNDEBUG
-else
-	OPTIMIZER  += -g
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(shell whoami)
-endif
-
-NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
-
-MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
-MKDEPEND        = $(MKDEPEND_DIR)/$(OBJDIR_NAME)/mkdepend
-MKDEPENDENCIES  = $(OBJDIR_NAME)/depend.mk
-
-####################################################################
-#
-# One can define the makefile variable NSDISTMODE to control
-# how files are published to the 'dist' directory.  If not
-# defined, the default is "install using relative symbolic
-# links".  The two possible values are "copy", which copies files
-# but preserves source mtime, and "absolute_symlink", which
-# installs using absolute symbolic links.  The "absolute_symlink"
-# option requires NFSPWD.
-#   - THIS IS NOT PART OF THE NEW BINARY RELEASE PLAN for 9/30/97
-#   - WE'RE KEEPING IT ONLY FOR BACKWARDS COMPATIBILITY
-####################################################################
-
-ifeq ($(NSDISTMODE),copy)
-	# copy files, but preserve source mtime
-	INSTALL  = $(NSINSTALL)
-	INSTALL += -t
-else
-	ifeq ($(NSDISTMODE),absolute_symlink)
-		# install using absolute symbolic links
-		INSTALL  = $(NSINSTALL)
-		INSTALL += -L `$(NFSPWD)`
-	else
-		# install using relative symbolic links
-		INSTALL  = $(NSINSTALL)
-		INSTALL += -R
-	endif
-endif
-
-define MAKE_OBJDIR
-if test ! -d $(@D); then rm -rf $(@D); $(NSINSTALL) -D $(@D); fi
-endef
diff --git a/security/coreconf/UNIXWARE2.1.mk b/security/coreconf/UNIXWARE2.1.mk
deleted file mode 100644
index b9bd69900..000000000
--- a/security/coreconf/UNIXWARE2.1.mk
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# Config stuff for SCO Unixware 2.1
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = $(CORE_DEPTH)/build/hcc
-
-CC         = $(CORE_DEPTH)/build/hcc
-CCC         = $(CORE_DEPTH)/build/hcpp
-RANLIB      = true
-OS_CFLAGS   = -KPIC -DSVR4 -DSYSV -DUNIXWARE
-MKSHLIB     = $(LD)
-MKSHLIB    += $(DSO_LDOPTS)
-DSO_LDOPTS += -G
-CPU_ARCH    = x86
-ARCH        = sco
-NOSUCHFILE  = /solaris-rm-f-sucks
diff --git a/security/coreconf/WIN16.mk b/security/coreconf/WIN16.mk
deleted file mode 100644
index 68832d21c..000000000
--- a/security/coreconf/WIN16.mk
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# win16_3.11.mk -- Make configuration for Win16
-#
-# This file configures gmake to build the Win16 variant of
-# NSPR 2.0. This file has the function of two files commonly
-# used on other platforms, for example: winnt.mk and
-# winnt4.0.mk. ... The packaging is easier and there is only
-# one variant of the Win16 target.
-# 
-# Win16 is built using the Watcom C/C++ version 11.0
-# compiler. You gotta set up the compiler first. 
-# The Watcom compiler depends on a few environment
-# variables; these environment variables define where the
-# compiler components are installed; they must be set before
-# running the make.
-# 
-# Notes:
-# OS_CFLAGS is the command line options for the compiler when
-#   building the .DLL object files.
-# OS_EXE_CFLAGS is the command line options for the compiler
-#   when building the .EXE object files; this is for the test
-#   programs.
-# the macro OS_CFLAGS is set to OS_EXE_CFLAGS inside of the
-#   makefile for the pr/tests directory. ... Hack.
-# 
-# 
-# 
-# 
-
-# -- configuration -----------------------------------------
-
-DEFAULT_COMPILER = wcc
-
-CC           = wcc
-CCC          = wcl
-LINK         = wlink
-AR           = wlib
-AR          += -q $@
-RC           = wrc.exe
-RC          += /r /dWIN16=1 /bt=windows
-RANLIB       = echo
-BSDECHO      = echo
-NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-NSINSTALL      = nsinstall
-INSTALL	     = $(NSINSTALL)
-MAKE_OBJDIR  = mkdir
-MAKE_OBJDIR += $(OBJDIR)
-XP_DEFINE   += -DXP_PC
-LIB_SUFFIX   = lib
-DLL_SUFFIX   = dll
-
-ifdef BUILD_OPT
-	OPTIMIZER   = -oneatx -oh -oi -ei -3 -fpi87 -fp3
-else
-	OPTIMIZER  += -d2 -hc -DDEBUG
-#	OPTIMIZER  += -d2 -hw -DDEBUG
-#	LDFLAGS  += -DEBUG -DEBUGTYPE:CV
-endif
-
-#
-# $(CPU_ARCH) has been commented out so that its contents
-# are not added to the WIN16_?.OBJ names thus expanding
-# them beyond the 8.3 character limit for this platform.
-#
-#CPU_ARCH       = x386
-#
-# added "-s" to avoid dependency on watcom's libs (e.g. on _STK)
-# added "-zt3" for compatibility with MSVC's "/Gt3" option
-#
-OS_CFLAGS     += -ml -3 -bd -zc -zu -bt=windows -s -zt3 -d_X86_ -dWIN16 -d_WINDLL 
-#OS_EXE_CFLAGS += -ml -3 -bt=windows -d_X86_ -dWIN16
-OS_LIB_FLAGS   = -c -iro
-
-# Name of the binary code directories
-OS_DLL_OPTION = CASEEXACT
-OS_DLLFLAGS  =
-OS_LIBS      =
-W16_EXPORTS  = #
-
-#
-#  The following is NOT needed for the NSPR 2.0 library.
-#
-
-OS_CFLAGS += -d_WINDOWS -d_MSC_VER=700
diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk
deleted file mode 100644
index 61563e49a..000000000
--- a/security/coreconf/WIN32.mk
+++ /dev/null
@@ -1,100 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# Configuration common to all versions of Windows NT
-# and Windows 95
-#
-
-DEFAULT_COMPILER = cl
-
-CC           = cl
-CCC          = cl
-LINK         = link
-AR           = lib
-AR          += -NOLOGO -OUT:"$@"
-RANLIB       = echo
-BSDECHO      = echo
-
-NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-NSINSTALL      = nsinstall
-
-MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
-MKDEPEND        = $(MKDEPEND_DIR)/$(OBJDIR_NAME)/mkdepend.exe
-# Note: MKDEPENDENCIES __MUST__ be a relative pathname, not absolute.
-# If it is absolute, gmake will crash unless the named file exists.
-MKDEPENDENCIES  = $(OBJDIR_NAME)/depend.mk
-
-INSTALL      = $(NSINSTALL)
-MAKE_OBJDIR  = mkdir
-MAKE_OBJDIR += $(OBJDIR)
-RC           = rc.exe
-GARBAGE     += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb
-XP_DEFINE   += -DXP_PC
-LIB_SUFFIX   = lib
-DLL_SUFFIX   = dll
-
-ifdef BUILD_OPT
-	OS_CFLAGS  += -MD
-	OPTIMIZER  += -O2
-	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
-	DLLFLAGS   += -OUT:"$@"
-else
-	#
-	# Define USE_DEBUG_RTL if you want to use the debug runtime library
-	# (RTL) in the debug build
-	#
-	ifdef USE_DEBUG_RTL
-		OS_CFLAGS += -MDd
-	else
-		OS_CFLAGS += -MD
-	endif
-	OPTIMIZER  += -Od -Z7
-	#OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
-	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
-	DLLFLAGS   += -DEBUG -DEBUGTYPE:CV -OUT:"$@"
-	LDFLAGS    += -DEBUG -DEBUGTYPE:CV
-endif
-
-DEFINES += -DWIN32
-
-#
-#  The following is NOT needed for the NSPR 2.0 library.
-#
-
-DEFINES += -D_WINDOWS
-
-# override default, which is ASFLAGS = CFLAGS
-AS	= ml.exe
-ASFLAGS = -Cp -Sn -Zi -coff $(INCLUDES)
-
diff --git a/security/coreconf/WIN954.0.mk b/security/coreconf/WIN954.0.mk
deleted file mode 100644
index 68b3b7e4f..000000000
--- a/security/coreconf/WIN954.0.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# Config stuff for WIN95
-#
-# This makefile defines the following variables:
-# CPU_ARCH, OS_CFLAGS, and OS_DLLFLAGS.
-# PROCESSOR is an internal variable.
-
-include $(CORE_DEPTH)/coreconf/WIN32.mk
-
-PROCESSOR := $(shell uname -p)
-ifeq ($(PROCESSOR), I386)
-	CPU_ARCH   = x386
-	OS_CFLAGS += -W3 -nologo -D_X86_
-else 
-	ifeq ($(PROCESSOR), MIPS)
-		CPU_ARCH    = MIPS
-		#OS_CFLAGS += -W3 -nologo -D_MIPS_
-		OS_CFLAGS  += -W3 -nologo
-	else 
-		ifeq ($(PROCESSOR), ALPHA)
-			CPU_ARCH  = ALPHA
-			OS_CFLAGS += -W3 -nologo -D_ALPHA_=1
-		else 
-			CPU_ARCH  = processor_is_undefined
-		endif
-	endif
-endif
-
-OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS -PDB:NONE
-DEFINES += -DWIN95
diff --git a/security/coreconf/WINNT3.51.mk b/security/coreconf/WINNT3.51.mk
deleted file mode 100644
index 606e7a3b1..000000000
--- a/security/coreconf/WINNT3.51.mk
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# Config stuff for WINNT 3.51
-#
-# This makefile defines the following variables:
-# CPU_ARCH, OS_CFLAGS, and OS_DLLFLAGS.
-# It has the following internal variables:
-# OS_PROC_CFLAGS and OS_WIN_CFLAGS.
-
-include $(CORE_DEPTH)/coreconf/WIN32.mk
-
-PROCESSOR := $(shell uname -p)
-ifeq ($(PROCESSOR), I386)
-	CPU_ARCH        = x386
-	OS_PROC_CFLAGS += -D_X86_
-else 
-	ifeq ($(PROCESSOR), MIPS)
-		CPU_ARCH        = MIPS
-		OS_PROC_CFLAGS += -D_MIPS_
-	else 
-		ifeq ($(PROCESSOR), ALPHA)
-			CPU_ARCH        = ALPHA
-			OS_PROC_CFLAGS += -D_ALPHA_
-		else 
-			CPU_ARCH  = processor_is_undefined
-		endif
-	endif
-endif
-
-OS_WIN_CFLAGS += -W3
-OS_CFLAGS     += -nologo $(OS_WIN_CFLAGS) $(OS_PROC_CFLAGS)
-#OS_DLLFLAGS  += -nologo -DLL -PDB:NONE -SUBSYSTEM:WINDOWS
-OS_DLLFLAGS   += -nologo -DLL -PDB:NONE -SUBSYSTEM:WINDOWS
-#
-# Win NT needs -GT so that fibers can work
-#
-OS_CFLAGS     += -GT
-OS_CFLAGS     += -DWINNT
diff --git a/security/coreconf/WINNT4.0.mk b/security/coreconf/WINNT4.0.mk
deleted file mode 100644
index 204b790a8..000000000
--- a/security/coreconf/WINNT4.0.mk
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# Config stuff for WINNT 4.0
-#
-# This makefile defines the following variables:
-# CPU_ARCH, OS_CFLAGS, and OS_DLLFLAGS.
-# PROCESSOR is an internal variable.
-
-include $(CORE_DEPTH)/coreconf/WIN32.mk
-
-PROCESSOR := $(shell uname -p)
-ifeq ($(PROCESSOR), I386)
-	CPU_ARCH   = x386
-	OS_CFLAGS += -W3 -nologo -D_X86_
-else 
-	ifeq ($(PROCESSOR), MIPS)
-		CPU_ARCH  = MIPS
-		#OS_CFLAGS += -W3 -nologo -D_MIPS_
-		OS_CFLAGS += -W3 -nologo
-	else 
-		ifeq ($(PROCESSOR), ALPHA)
-			CPU_ARCH  = ALPHA
-			OS_CFLAGS += -W3 -nologo -D_ALPHA_=1
-		else 
-			CPU_ARCH  = processor_is_undefined
-		endif
-	endif
-endif
-
-OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS -PDB:NONE
-#
-# Win NT needs -GT so that fibers can work
-#
-OS_CFLAGS += -GT
-OS_CFLAGS += -DWINNT
-
-NSPR31_LIB_PREFIX = lib
diff --git a/security/coreconf/arch.mk b/security/coreconf/arch.mk
deleted file mode 100644
index 57af21a2d..000000000
--- a/security/coreconf/arch.mk
+++ /dev/null
@@ -1,301 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" macros for getting the OS architecture     #
-#######################################################################
-
-#
-# Macros for getting the OS architecture
-#
-
-ifeq ($(USE_64), 1)
-	64BIT_TAG=_64
-else
-	64BIT_TAG=
-endif
-
-OS_ARCH := $(subst /,_,$(shell uname -s))
-
-#
-# Attempt to differentiate between sparc and x86 Solaris
-#
-
-OS_TEST := $(shell uname -m)
-ifeq ($(OS_TEST),i86pc)
-	OS_RELEASE := $(shell uname -r)_$(OS_TEST)
-else
-	OS_RELEASE := $(shell uname -r)
-endif
-
-#
-# Force the IRIX64 machines to use IRIX.
-#
-
-ifeq ($(OS_ARCH),IRIX64)
-	OS_ARCH = IRIX
-endif
-
-#
-# Force the newer BSDI versions to use the old arch name.
-#
-
-ifeq ($(OS_ARCH),BSD_OS)
-	OS_ARCH = BSD_386
-endif
-
-#
-# Catch Deterim if SVR4 is NCR or UNIXWARE
-#
-
-ifeq ($(OS_ARCH),UNIX_SV)
-	ifneq ($(findstring NCR, $(shell grep NCR /etc/bcheckrc | head -1 )),)
-		OS_ARCH = NCR
-	else
-		# Make UnixWare something human readable
-		OS_ARCH = UNIXWARE
-	endif
-
-	# Get the OS release number, not 4.2
-	OS_RELEASE := $(shell uname -v)
-endif
-
-ifeq ($(OS_ARCH),UNIX_System_V)
-	OS_ARCH	= NEC
-endif
-
-ifeq ($(OS_ARCH),AIX)
-	OS_RELEASE := $(shell uname -v).$(shell uname -r)
-endif
-
-#
-# Distinguish between OSF1 V4.0B and V4.0D
-#
-
-ifeq ($(OS_ARCH)$(OS_RELEASE),OSF1V4.0)
-	OS_VERSION := $(shell uname -v)
-	ifeq ($(OS_VERSION),564)
-		OS_RELEASE := V4.0B
-	endif
-	ifeq ($(OS_VERSION),878)
-		OS_RELEASE := V4.0D
-	endif
-endif
-
-#
-# SINIX changes name to ReliantUNIX with 5.43
-#
-
-ifeq ($(OS_ARCH),ReliantUNIX-N)
-	OS_ARCH    = ReliantUNIX
-	OS_RELEASE = 5.4
-endif
-
-ifeq ($(OS_ARCH),SINIX-N)
-	OS_ARCH    = ReliantUNIX
-	OS_RELEASE = 5.4
-endif
-
-#
-# Handle FreeBSD 2.2-STABLE and Linux 2.0.30-osfmach3
-#
-
-ifeq (,$(filter-out Linux FreeBSD,$(OS_ARCH)))
-OS_RELEASE	:= $(shell echo $(OS_RELEASE) | sed 's/-.*//')
-endif
-
-ifeq ($(OS_ARCH),Linux)
-	OS_RELEASE := $(basename $(OS_RELEASE))
-endif
-
-#######################################################################
-# Master "Core Components" macros for getting the OS target           #
-#######################################################################
-
-#
-# Note: OS_TARGET should be specified on the command line for gmake.
-# When OS_TARGET=WIN95 is specified, then a Windows 95 target is built.
-# The difference between the Win95 target and the WinNT target is that
-# the WinNT target uses Windows NT specific features not available
-# in Windows 95. The Win95 target will run on Windows NT, but (supposedly)
-# at lesser performance (the Win95 target uses threads; the WinNT target
-# uses fibers).
-#
-# When OS_TARGET=WIN16 is specified, then a Windows 3.11 (16bit) target
-# is built. See: win16_3.11.mk for lots more about the Win16 target.
-#
-# If OS_TARGET is not specified, it defaults to $(OS_ARCH), i.e., no
-# cross-compilation.
-#
-
-#
-# The following hack allows one to build on a WIN95 machine (as if
-# s/he were cross-compiling on a WINNT host for a WIN95 target).
-# It also accomodates for MKS's uname.exe.  If you never intend
-# to do development on a WIN95 machine, you don't need this. It doesn't
-# work any more anyway.
-#
-ifeq ($(OS_ARCH),WIN95)
-	OS_ARCH   = WINNT
-	OS_TARGET = WIN95
-endif
-ifeq ($(OS_ARCH),Windows_95)
-	OS_ARCH   = Windows_NT
-	OS_TARGET = WIN95
-endif
-
-#
-# On WIN32, we also define the variable CPU_ARCH.
-#
-
-ifeq ($(OS_ARCH), WINNT)
-	CPU_ARCH := $(shell uname -p)
-	ifeq ($(CPU_ARCH),I386)
-		CPU_ARCH = x386
-	endif
-else
-#
-# If uname -s returns "Windows_NT", we assume that we are using
-# the uname.exe in MKS toolkit.
-#
-# The -r option of MKS uname only returns the major version number.
-# So we need to use its -v option to get the minor version number.
-# Moreover, it doesn't have the -p option, so we need to use uname -m.
-#
-ifeq ($(OS_ARCH), Windows_NT)
-	OS_ARCH = WINNT
-	OS_MINOR_RELEASE := $(shell uname -v)
-	ifeq ($(OS_MINOR_RELEASE),00)
-		OS_MINOR_RELEASE = 0
-	endif
-	OS_RELEASE = $(OS_RELEASE).$(OS_MINOR_RELEASE)
-	CPU_ARCH := $(shell uname -m)
-	#
-	# MKS's uname -m returns "586" on a Pentium machine.
-	#
-	ifneq (,$(findstring 86,$(CPU_ARCH)))
-		CPU_ARCH = x386
-	endif
-endif
-endif
-
-ifndef OS_TARGET
-	OS_TARGET = $(OS_ARCH)
-endif
-
-ifeq ($(OS_TARGET), WIN95)
-	OS_RELEASE = 4.0
-endif
-
-ifeq ($(OS_TARGET), WIN16)
-	OS_RELEASE =
-#	OS_RELEASE = _3.11
-endif
-
-#
-# This variable is used to get OS_CONFIG.mk.
-#
-
-OS_CONFIG = $(OS_TARGET)$(OS_RELEASE)
-
-#
-# OBJDIR_TAG depends on the predefined variable BUILD_OPT,
-# to distinguish between debug and release builds.
-#
-
-ifdef BUILD_OPT
-	ifeq ($(OS_TARGET),WIN16)
-		OBJDIR_TAG = _O
-	else
-		OBJDIR_TAG = $(64BIT_TAG)_OPT
-	endif
-else
-	ifdef BUILD_IDG
-		ifeq ($(OS_TARGET),WIN16)
-			OBJDIR_TAG = _I
-		else
-			OBJDIR_TAG = $(64BIT_TAG)_IDG
-		endif
-	else
-		ifeq ($(OS_TARGET),WIN16)
-			OBJDIR_TAG = _D
-		else
-			OBJDIR_TAG = $(64BIT_TAG)_DBG
-		endif
-	endif
-endif
-
-#
-# The following flags are defined in the individual $(OS_CONFIG).mk
-# files.
-#
-# CPU_TAG is defined if the CPU is not the most common CPU.
-# COMPILER_TAG is defined if the compiler is not the native compiler.
-# IMPL_STRATEGY may be defined too.
-#
-
-# Name of the binary code directories
-ifeq ($(OS_ARCH), WINNT)
-	ifeq ($(CPU_ARCH),x386)
-		OBJDIR_NAME = $(OS_CONFIG)$(OBJDIR_TAG).OBJ
-	else
-		OBJDIR_NAME = $(OS_CONFIG)$(CPU_ARCH)$(OBJDIR_TAG).OBJ
-	endif
-else
-endif
-
-OBJDIR_NAME = $(OS_CONFIG)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
-
-ifeq ($(OS_ARCH), WINNT)
-ifneq ($(OS_TARGET),WIN16)
-ifndef BUILD_OPT
-#
-# Define USE_DEBUG_RTL if you want to use the debug runtime library
-# (RTL) in the debug build
-#
-ifdef USE_DEBUG_RTL
-	OBJDIR_NAME = $(OS_CONFIG)$(CPU_TAG)$(COMPILER_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJD
-endif
-endif
-endif
-endif
-
-#
-# For OS/2
-#
-ifeq ($(OS_ARCH), OS_2)
-OS_ARCH		:= OS2
-OS_RELEASE	:= $(shell uname -v)
-OS_CONFIG	:= $(OS_ARCH)
-endif
-
diff --git a/security/coreconf/command.mk b/security/coreconf/command.mk
deleted file mode 100644
index 488161461..000000000
--- a/security/coreconf/command.mk
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" default command macros;                    #
-# can be overridden in <arch>.mk                                      #
-#######################################################################
-
-AS            = $(CC)
-ASFLAGS      += $(CFLAGS)
-CCF           = $(CC) $(CFLAGS)
-PURIFY        = purify $(PURIFYOPTIONS)
-LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS)
-LINK_EXE      = $(LINK) $(OS_LFLAGS) $(LFLAGS)
-NFSPWD        = $(NSINSTALL_DIR)/nfspwd
-CFLAGS       += $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
-		$(XCFLAGS)
-RANLIB        = echo
-TAR           = /bin/tar
-#
-# For purify
-#
-NOMD_CFLAGS  += $(OPTIMIZER) $(NOMD_OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
-		$(XCFLAGS)
-
diff --git a/security/coreconf/config.mk b/security/coreconf/config.mk
deleted file mode 100644
index 20a7dc126..000000000
--- a/security/coreconf/config.mk
+++ /dev/null
@@ -1,142 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Configuration information for building in the "Core Components" source module
-#
-
-#######################################################################
-# [1.0] Master "Core Components" source and release <architecture>    #
-#       tags                                                          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/arch.mk
-
-#######################################################################
-# [2.0] Master "Core Components" default command macros               #
-#       (NOTE: may be overridden in $(OS_CONFIG).mk)                  #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/command.mk
-
-#######################################################################
-# [3.0] Master "Core Components" <architecture>-specific macros       #
-#       (dependent upon <architecture> tags)                          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/$(OS_CONFIG).mk
-
-#######################################################################
-# [4.0] Master "Core Components" source and release <platform> tags   #
-#       (dependent upon <architecture> tags)                          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/platform.mk
-
-#######################################################################
-# [5.0] Master "Core Components" release <tree> tags                  #
-#       (dependent upon <architecture> tags)                          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/tree.mk
-
-#######################################################################
-# [6.0] Master "Core Components" source and release <component> tags  #
-#       NOTE:  A component is also called a module or a subsystem.    #
-#       (dependent upon $(MODULE) being defined on the                #
-#        command line, as an environment variable, or in individual   #
-#        makefiles, or more appropriately, manifest.mn)               #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/module.mk
-
-#######################################################################
-# [7.0] Master "Core Components" release <version> tags               #
-#       (dependent upon $(MODULE) being defined on the                #
-#        command line, as an environment variable, or in individual   #
-#        makefiles, or more appropriately, manifest.mn)               #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/version.mk
-
-#######################################################################
-# [8.0] Master "Core Components" macros to figure out                 #
-#       binary code location                                          #
-#       (dependent upon <platform> tags)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/location.mk
-
-#######################################################################
-# [9.0] Master "Core Components" <component>-specific source path     #
-#       (dependent upon <user_source_tree>, <source_component>,       #
-#        <version>, and <platform> tags)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/source.mk
-
-#######################################################################
-# [10.0] Master "Core Components" include switch for support header   #
-#        files                                                        #
-#        (dependent upon <tree>, <component>, <version>,              #
-#         and <platform> tags)                                        #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/headers.mk
-
-#######################################################################
-# [11.0] Master "Core Components" for computing program prefixes      #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/prefix.mk
-
-#######################################################################
-# [12.0] Master "Core Components" for computing program suffixes      #
-#        (dependent upon <architecture> tags)                         #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/suffix.mk
-
-#######################################################################
-# [13.0] Master "Core Components" for defining JDK                    #
-#        (dependent upon <architecture>, <source>, and <suffix>  tags)#
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/jdk.mk
-
-#######################################################################
-# [14.0] Master "Core Components" rule set                            #
-#        (should always be the last file included by config.mk)       #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/ruleset.mk
--include $(MKDEPENDENCIES)
-
diff --git a/security/coreconf/coreconf.pl b/security/coreconf/coreconf.pl
deleted file mode 100644
index 8471b0ead..000000000
--- a/security/coreconf/coreconf.pl
+++ /dev/null
@@ -1,156 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-sub recursive_copy {
-    local($fromdir);
-    local($todir);
-    local(@dirlist);
-    $fromdir = shift;
-    $todir = shift;
-  
-    print STDERR "recursive copy called with $fromdir, $todir\n";
-
-#remove any trailing slashes.
-    $fromdir =~ s/\/$//;
-    $todir =~ s/\/$//;
-    
-    opendir(DIR, $fromdir);
-    @dirlist = readdir DIR;
-    close DIR;
-
-
-    foreach $file (@dirlist) {
-	if  (! (($file eq "." ) || ($file eq "..") )) {
-	    
-	    if (-d "$fromdir/$file") {
-		print STDERR "handling directory $todir/$file\n";
-		&rec_mkdir("$todir/$file");
-		&recursive_copy("$fromdir/$file","$todir/$file");
-	    }
-	    else {
-		print STDERR "handling file $fromdir/$file\n";
-		&my_copy("$fromdir/$file","$todir/$file");
-	    }
-	}
-    }
-}
-
-sub parse_argv {
-
-#    print STDERR "Parsing Variables\n";
-
-    foreach $q ( @ARGV ) {
-	if (! ($q =~ /=/)) {
-	    $var{$lastassigned} .= " $q";
-	}
-	else {
-	   $q =~ /^([^=]*)=(.*)/;
-	   $left = $1;
-	   $right = $2;
-	
-	   $right =~ s/ *$//;
-	   $var{$left} = $right;
-
-	   $lastassigned = $left;
-	
-	   }
-	print STDERR "Assigned $lastassigned = $var{$lastassigned}\n";
-    }
-}
-
-
-# usage: &my_copy("dir/fromfile","dir2/tofile");
-# do a 'copy' - files only, 'to' MUST be a filename, not a directory.
-
-# fix this to be able to use copy on win nt.
-
-sub my_copy {
-    local($from);
-    local($to);
-    local($cpcmd);
-
-    $from = shift;
-    $to = shift;
-
-    if ( ! defined $var{OS_ARCH}) {
-	die "OS_ARCH not defined!";
-    }
-    else {
-	if ($var{OS_ARCH} eq 'WINNT') {
-	    $cpcmd = 'cp';
-	    	}
-	else {
-	    $cpcmd = 'cp';
-	    }
-	print STDERR "COPYING: $cpcmd $from $to\n";
-	system("$cpcmd $from $to");
-    }
-}
-
-
-sub old_my_copy {
-    local($from);
-    local($to);
-
-    $from = shift;
-    $to = shift;
-    open(FIN, "<$from") || die("Can't read from file $from\n");
-    if ( ! open(FOUT,">$to")) {
-	close FIN;
-	die "Can't write to file $to\n";
-    }
-    while (read(FIN, $buf, 100000)) {
-	print FOUT $buf;
-    }
-    close (FIN);
-    close (FOUT);
-}
-
-sub rec_mkdir {
-    local($arg);
-    local($t);
-    local($q);
-
-    $arg = shift;
-    $t = "";
-    foreach $q (split(/\//,$arg)) {
-	$t .= $q;
-	if (! ($t =~ /\.\.$/)) {
-	    if ($t =~ /./) {
-		mkdir($t,0775);
-	    }
-	}
-	$t.= '/';
-    }
-}
-
-1;
diff --git a/security/coreconf/cpdist.pl b/security/coreconf/cpdist.pl
deleted file mode 100755
index cea077990..000000000
--- a/security/coreconf/cpdist.pl
+++ /dev/null
@@ -1,195 +0,0 @@
-#! /usr/local/bin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-require('coreconf.pl');
-
-#######-- read in variables on command line into %var
-
-&parse_argv;
- 
-### do the copy
-
-print STDERR "RELEASE TREE / MODULE =  $var{RELEASE_TREE} $var{MODULE}\n";
-
-
-
-# 1
-if ($var{RELEASE} eq "") { exit; } # Can't do release here, so exit.
-
-# 2
-#if (! ($var{RELEASE} =~ /\//)) {   # if no specific version is specified in RELEASE variable
-#    $component = $var{RELEASE};
-#}
-#else {  # if a subcomponent/version is given in the RELEASE variable
-#        $var{RELEASE} =~ m|^([^/]*)/|;  
-#	$component = $1;           # everything before the first slash;
-#    }
-
-# 3
-$path = $var{RELEASE};
-
-
-# 4
-# find out what directory we would create for 'today'
-
-$year = (localtime)[5] + 1900;
-$month = (localtime)[4] + 1;
-$day = (localtime)[3];
-$today = sprintf( "%d%02d%02d", $year, $month, $day );
-
-# 5
-# if version is null, then set the version to today.
-if ($var{"RELEASE_VERSION"} eq "") {
-    $var{"RELEASE_VERSION"} = $today;
-}
-
-#6
-$version = $var{"RELEASE_VERSION"};  # set RELEASE_VERSION to passed in variable
-
-#7
-# if version is today, then we will want to make a 'current' link.
-
-if ($version eq $today) {
-    $create_current = 1;
-}
-
-#8
-# version can be a) passed in value from command line, b) value in manifest.mn
-# or c) computed value such as '19970909'
-
-
-$dir = "$var{'RELEASE_TREE'}/$path";
-
-#9
-if (! (-e "$dir/$version" && -d "$dir/$version")) {
-    print "making dir $dir \n";
-    &rec_mkdir("$dir/$version");
-}
-
-
-
-print "version = $version\n";
-print "path = $path\n";
-print "var{release_tree} = $var{'RELEASE_TREE'}\n";
-print "dir = $dir   = RELEASE_TREE/path\n";
-
-
-#10
-if ($create_current == 1) {
-
-# unlinking and linking always occurs, even if the link is correct
-    print "unlinking $dir/current\n";
-    unlink("$dir/current");
-    
-    print "putting version number $today into 'current' file..";
-
-    open(FILE,">$dir/current") || die " couldn't open current\n";
-    print FILE "$today\n";
-    close(FILE);
-    print " ..done\n"
-    
-}
-
-&rec_mkdir("$dir/$version/$var{'RELEASE_MD_DIR'}");
-&rec_mkdir("$dir/$version/$var{'RELEASE_XP_DIR'}");
-
-
-
-
-foreach $jarfile (split(/ /,$var{FILES}) ) {
-    print STDERR "---------------------------------------------\n";
-    
-    $jarinfo = $var{$jarfile};
- 
-    ($jardir,$jaropts) = split(/\|/,$jarinfo);
- 
-    if ($jaropts =~ /f/) {
-      print STDERR "Copying files $jardir....\n";
-    }
-    else {
-      print STDERR "Copying jar file $jarfile....\n";
-    }
-    
-    print "jaropts = $jaropts\n";
-    
-    if ($jaropts =~ /m/) {
-      $destdir = $var{"RELEASE_MD_DIR"};
-      print "found m, using MD dir $destdir\n";
-    }
-    elsif ($jaropts =~ /x/) {
-      $destdir = $var{"RELEASE_XP_DIR"};
-      print "found x, using XP dir $destdir\n";
-    }
-    else {
-      die "Error: must specify m or x in jar options in $jarinfo line\n";
-    }
-    
-    
-    $distdir = "$dir/$version/$destdir";
-    
-
-
-    if ($jaropts =~ /f/) {
-
-      print "splitting: \"$jardir\"\n";
-      for $srcfile (split(/ /,$jardir)) {
-
-#if srcfile has a slash
-	if ($srcfile =~ m|/|) {
-#pull out everything before the last slash into $1
-	  $srcfile =~ m|(.*)/|;
-	  $distsubdir = "/$1";
-	  print "making dir $distdir$distsubdir\n";
-	  &rec_mkdir("$distdir$distsubdir");
-	}
-	print "copy: from $srcfile\n";
-	print "      to   $distdir$distsubdir\n";
-	$srcprefix = "";
-	if ($jaropts =~/m/) {
-	  $srcprefix = "$var{'PLATFORM'}/";
-	}
-	system("cp $srcprefix$srcfile $distdir$distsubdir");
-      }
-    }
-    else {
-      $srcfile = "$var{SOURCE_RELEASE_PREFIX}/$jardir/$jarfile";
-      
-      print "copy: from $srcfile\n";
-      print "      to   $distdir\n";
-      
-      system("cp $srcfile $distdir");
-      
-    }
-    
-  }
-
diff --git a/security/coreconf/headers.mk b/security/coreconf/headers.mk
deleted file mode 100644
index f09d5f6ee..000000000
--- a/security/coreconf/headers.mk
+++ /dev/null
@@ -1,54 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" include switch for support header files    #
-#######################################################################
-
-#
-#  Always append source-side machine-dependent (md) and cross-platform
-#  (xp) include paths
-#
-
-INCLUDES  += -I$(SOURCE_MDHEADERS_DIR) 
-
-ifneq ($(OS_TARGET),WIN16)
-INCLUDES  += -I$(SOURCE_XPHEADERS_DIR)
-endif
-
-#
-#  Only append source-side private cross-platform include paths for
-#  sectools
-#
-
-INCLUDES += -I$(SOURCE_XPPRIVATE_DIR)
diff --git a/security/coreconf/import.pl b/security/coreconf/import.pl
deleted file mode 100755
index 0bba3c820..000000000
--- a/security/coreconf/import.pl
+++ /dev/null
@@ -1,218 +0,0 @@
-#! /usr/local/bin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-print STDERR "import.pl\n";
-
-require('coreconf.pl');
-
-
-$returncode =0;
-
-
-#######-- read in variables on command line into %var
-
-$var{ZIP} = "zip";
-$var{UNZIP} = "unzip -o";
-
-&parse_argv;
-
-if (! ($var{IMPORTS} =~ /\w/)) {
-    print STDERR "nothing to import\n";
-}
-
-######-- Do the import!
-
-foreach $import (split(/ /,$var{IMPORTS}) ) {
-
-    print STDERR "\n\nIMPORTING .... $import\n-----------------------------\n";
-
-
-# if a specific version specified in IMPORT variable
-# (if $import has a slash in it)
-
-    if ($import =~ /\//) {
-        # $component=everything before the first slash of $import
-
-	$import =~ m|^([^/]*)/|; 
-	$component = $1;
-
-	$import =~ m|^(.*)/([^/]*)$|;
-
-	# $path=everything before the last slash of $import
-	$path = $1;
-
-	# $version=everything after the last slash of $import
-	$version = $2;
-
-	if ($var{VERSION} ne "current") {
-	    $version = $var{VERSION};
-	}
-    }
-    else {
-	$component = $import;
-	$path = $import;
-	$version = $var{VERSION};
-    }
-
-    $releasejardir = "$var{RELEASE_TREE}/$path";
-    if ($version eq "current") {
-	print STDERR "Current version specified. Reading 'current' file ... \n";
-	
-	open(CURRENT,"$releasejardir/current") || die "NO CURRENT FILE\n";
-	$version = <CURRENT>;
-	$version =~ s/(\r?\n)*$//; # remove any trailing [CR/]LF's
-	close(CURRENT);
-	print STDERR "Using version $version\n";
-	if ( $version eq "") {
-	    die "Current version file empty. Stopping\n";
-	}
-    }
-    
-    $releasejardir = "$releasejardir/$version";
-    if ( ! -d $releasejardir) {
-	die "$releasejardir doesn't exist (Invalid Version?)\n";
-    }
-    foreach $jarfile (split(/ /,$var{FILES})) {
-
-	($relpath,$distpath,$options) = split(/\|/, $var{$jarfile});
-
-	if ($var{'OVERRIDE_IMPORT_CHECK'} eq 'YES') {
-	    $options =~ s/v//g;
-	}
-
-	if ( $relpath ne "") { $releasejarpathname = "$releasejardir/$relpath";}
-	else { $releasejarpathname = $releasejardir; }
-
-# If a component doesn't have IDG versions, import the DBG ones
-    if( ! -e "$releasejarpathname/$jarfile" ) {
-        if( $relpath =~ /IDG\.OBJ$/ ) {
-            $relpath =~ s/IDG.OBJ/DBG.OBJ/;
-            $releasejarpathname = "$releasejardir/$relpath";
-        } elsif( $relpath =~ /IDG\.OBJD$/ ) {
-            $relpath =~ s/IDG.OBJD/DBG.OBJD/;
-            $releasejarpathname = "$releasejardir/$relpath";
-        }
-    }
-
-	if (-e "$releasejarpathname/$jarfile") {
-	    print STDERR "\nWorking on jarfile: $jarfile\n";
-	    
-	    if ($distpath =~ m|/$|) {
-		$distpathname = "$distpath$component";
-	    }
-	    else {
-		$distpathname = "$distpath"; 
-	    }
-	  
-	  
-#the block below is used to determine whether or not the xp headers have
-#already been imported for this component
-
-	    $doimport = 1;
-	  if ($options =~ /v/) {   # if we should check the imported version
-	      print STDERR "Checking if version file exists $distpathname/version\n";
-	      if (-e "$distpathname/version") {
-		  open( VFILE, "<$distpathname/version") ||
-		      die "Cannot open $distpathname/version for reading. Permissions?\n";
-		  $importversion = <VFILE>;
-		  close (VFILE);
-		  $importversion =~ s/\r?\n$//;   # Strip off any trailing CR/LF
-		  if ($version eq $importversion) {
-		      print STDERR "$distpathname version '$importversion' already imported. Skipping...\n";
-		      $doimport =0;
-		  }
-	      }
-	  }
-	  
-	  if ($doimport == 1) {
-	      if (! -d "$distpathname") {
-		  &rec_mkdir("$distpathname");
-	      }
-	      # delete the stuff in there already.
-	      # (this should really be recursive delete.)
-	      
-	      if ($options =~ /v/) {
-		  $remheader = "\nREMOVING files in '$distpathname/' :";
-		  opendir(DIR,"$distpathname") ||
-		      die ("Cannot read directory $distpathname\n");
-		  @filelist = readdir(DIR);
-		  closedir(DIR);
-		  foreach $file ( @filelist ) {
-		      if (! ($file =~ m!/.?.$!) ) {
-			  if (! (-d $file)) {
-			      $file =~ m!([^/]*)$!;
-			      print STDERR "$remheader $1";
-			      $remheader = " ";
-			      unlink "$distpathname/$file";
-			  }
-		      }
-		  }
-	      }
-
-
-	      print STDERR "\n\n";
-
-	      print STDERR "\nExtracting jarfile '$jarfile' to local directory $distpathname/\n";
-	      
-	      print STDERR "$var{UNZIP} $releasejarpathname/$jarfile -d $distpathname\n";
-	      system("$var{UNZIP} $releasejarpathname/$jarfile -d $distpathname");
-	      
-	      $r = $?;
-
-	      if ($options =~ /v/) {
-		  if ($r == 0) {
-		      unlink ("$distpathname/version");
-		      if (open(VFILE,">$distpathname/version")) {
-			  print VFILE "$version\n";
-			  close(VFILE);
-		      }
-		  }
-		  else {
-		      print STDERR "Could not create '$distpathname/version'. Permissions?\n";
-		      $returncode ++;
-		  }
-	      }
-	  }  # if (doimport)
-	} # if (-e releasejarpathname/jarfile)
-    } # foreach jarfile)
-} # foreach IMPORT
-
-
-
-exit($returncode);
-
-
-
-
-
diff --git a/security/coreconf/jdk.mk b/security/coreconf/jdk.mk
deleted file mode 100644
index 31b402802..000000000
--- a/security/coreconf/jdk.mk
+++ /dev/null
@@ -1,652 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-ifdef NS_USE_JDK
-#######################################################################
-# [1] Define preliminary JDK "Core Components" toolset options        #
-#######################################################################
-
-# set default JDK java threading model
-ifeq ($(JDK_THREADING_MODEL),)
-	JDK_THREADING_MODEL     = native_threads
-# no such thing as -native flag
-	JDK_THREADING_MODEL_OPT =
-endif
-
-#######################################################################
-# [2] Define platform-independent JDK "Core Components" options       #
-#######################################################################
-
-# set default location of the java classes repository
-ifeq ($(JAVA_DESTPATH),)
-ifdef BUILD_OPT
-	JAVA_DESTPATH  = $(SOURCE_CLASSES_DIR)
-else
-	JAVA_DESTPATH  = $(SOURCE_CLASSES_DBG_DIR)
-endif
-endif
-
-# set default location of the package under the java classes repository
-# note that this overrides the default package value in ruleset.mk
-ifeq ($(PACKAGE),)
-	PACKAGE = .
-endif
-
-# set default location of the java source code repository
-ifeq ($(JAVA_SOURCEPATH),)
-	JAVA_SOURCEPATH	= .
-endif
-
-# add JNI directory to default include search path
-ifneq ($(JNI_GEN),)
-	ifdef NSBUILDROOT
-		INCLUDES += -I$(JNI_GEN_DIR) -I$(SOURCE_XP_DIR)
-	else
-		INCLUDES += -I$(JNI_GEN_DIR)
-	endif
-endif
-
-#######################################################################
-# [3] Define platform-dependent JDK "Core Components" options         #
-#######################################################################
-
-# set [Microsoft Windows] platforms
-ifeq ($(OS_ARCH), WINNT)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = //iridium/components/jdk/1.2.2_01/WINNT
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = ;
-
-	# (2) specify "header" information
-	JAVA_ARCH = win32
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "linker" information
-	JAVA_CPU =
-
-	JAVA_LIBDIR = lib
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -LIBPATH:$(JAVA_HOME)/$(JAVA_LIBDIR) jvm.lib
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	#     currently, disable JIT option on this platform
-	JDK_JIT_OPT = -nojit
-endif
-
-# set [Sun Solaris] platforms
-ifeq ($(OS_ARCH), SunOS)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /share/builds/components/jdk/1.2.2_01/SunOS
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = solaris
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "linker" information
-	JAVA_CPU = sparc
-
-	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
-
-	#     ** IMPORTANT ** having -lthread before -lnspr is critical on solaris
-	#     when linking with -ljava as nspr redefines symbols in libthread that
-	#     cause JNI executables to fail with assert of bad thread stack values.
-	JAVA_CLIBS = -lthread
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	#     currently, disable JIT option on this platform
-	JDK_JIT_OPT =
-endif
-
-# set [Hewlett Packard HP-UX] platforms
-ifeq ($(OS_ARCH), HP-UX)
-	# (1) specify "location" information  (currently ONLY on "orville")
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /opt/java1.2
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = hp-ux
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "linker" information
-	JAVA_CPU = PA_RISC
-
-	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	# no JIT option available on this platform
-	JDK_JIT_OPT =
-endif
-
-# set [Redhat Linux] platforms
-ifeq ($(OS_ARCH), Linux)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /share/builds/components/jdk/1.2.2/Linux
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = linux
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "linker" information
-	JAVA_CPU = i386
-
-	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	# no JIT option available on this platform
-	JDK_JIT_OPT =
-endif
-
-# set [IBM AIX] platforms
-ifeq ($(OS_ARCH), AIX)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /share/builds/components/jdk/1.2.2/AIX
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = aix
-
-	INCLUDES += -I$(JAVA_HOME)/include
-
-	# (3) specify "linker" information
-	JAVA_CPU = aix
-
-	JAVA_LIBDIR = jre/bin
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR) -lhpi
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	# no JIT option available on this platform
-	JDK_JIT_OPT =
-endif
-
-# set [Digital UNIX] platforms
-ifeq ($(OS_ARCH), OSF1)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /share/builds/components/jdk/1.2.2_3/OSF1
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = alpha
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "linker" information
-	JAVA_CPU = alpha
-
-	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	# no JIT option available on this platform
-	JDK_JIT_OPT =
-endif
-
-# set [Silicon Graphics IRIX] platforms
-ifeq ($(OS_ARCH), IRIX)
-	# (1) specify "location" information
-	ifeq ($(JAVA_HOME),)
-		JAVA_HOME = /share/builds/components/jdk/1.2.1/IRIX
-	endif
-
-	JAVA_CLASSES = $(JAVA_HOME)/lib/dev.jar:$(JAVA_HOME)/lib/rt.jar
-
-	ifeq ($(JRE_HOME),)
-		JRE_HOME = $(JAVA_HOME)
-		JRE_CLASSES = $(JAVA_CLASSES)
-	else
-		ifeq ($(JRE_CLASSES),)
-			JRE_CLASSES = $(JRE_HOME)/lib/dev.jar:$(JRE_HOME)/lib/rt.jar
-		endif
-	endif
-
-	PATH_SEPARATOR = :
-
-	# (2) specify "header" information
-	JAVA_ARCH = irix
-
-	INCLUDES += -I$(JAVA_HOME)/include
-	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
-
-	# (3) specify "-n32 linker" information
-	JAVA_CPU = sgi
-
-	JAVA_LIBDIR = lib32/$(JAVA_CPU)
-
-	JAVA_CLIBS =
-
-	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
-	JAVA_LIBS += -lirixextra
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
-	JAVA_LIBS += $(JAVA_CLIBS)
-
-	LDFLAGS += $(JAVA_LIBS)
-
-	# no JIT option available on this platform
-	JDK_JIT_OPT =
-endif
-
-#######################################################################
-# [4] Define remaining JDK "Core Components" default toolset options  #
-#######################################################################
-
-# set JDK optimization model
-ifeq ($(BUILD_OPT),1)
-	JDK_OPTIMIZER_OPT = -O
-else
-	JDK_OPTIMIZER_OPT = -g
-endif
-
-# set minimal JDK debugging model
-ifeq ($(JDK_DEBUG),1)
-	JDK_DEBUG_OPT    = -debug
-else
-	JDK_DEBUG_OPT    =
-endif
-
-# set default path to repository for JDK classes
-ifeq ($(JDK_CLASS_REPOSITORY_OPT),)
-	JDK_CLASS_REPOSITORY_OPT = -d $(JAVA_DESTPATH)
-endif
-
-# initialize the JDK heap size option to a default value
-ifeq ($(JDK_INIT_HEAP_OPT),)
-	JDK_INIT_HEAP_OPT = -ms8m
-endif
-
-# define a default JDK classpath
-ifeq ($(JDK_CLASSPATH),)
-	JDK_CLASSPATH = "$(JAVA_DESTPATH)$(PATH_SEPARATOR)$(JAVA_SOURCEPATH)$(PATH_SEPARATOR)$(JAVA_CLASSES)"
-endif
-
-# by default, override CLASSPATH environment variable using the JDK classpath option with $(JDK_CLASSPATH)
-ifeq ($(JDK_CLASSPATH_OPT),)
-	JDK_CLASSPATH_OPT = -classpath $(JDK_CLASSPATH)
-endif
-
-
-endif
-
-
-ifdef NS_USE_JDK_TOOLSET
-#######################################################################
-# [5] Define JDK "Core Components" toolset;                           #
-#     (always allow a user to override these values)                  #
-#######################################################################
-
-#
-# (1) appletviewer
-#
-
-ifeq ($(APPLETVIEWER),)
-	APPLETVIEWER_PROG   = $(JAVA_HOME)/bin/appletviewer$(PROG_SUFFIX)
-	APPLETVIEWER_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	APPLETVIEWER_FLAGS += $(JDK_DEBUG_OPT)
-	APPLETVIEWER_FLAGS += $(JDK_JIT_OPT)
-	APPLETVIEWER        = $(APPLETVIEWER_PROG) $(APPLETVIEWER_FLAGS)
-endif
-
-#
-# (2) jar
-#
-
-ifeq ($(JAR),)
-	JAR_PROG   = $(JAVA_HOME)/bin/jar$(PROG_SUFFIX)
-	JAR_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAR        = $(JAR_PROG) $(JAR_FLAGS)
-endif
-
-#
-# (3) java
-#
-
-ifeq ($(JAVA),)
-	JAVA_PROG   = $(JAVA_HOME)/bin/java$(PROG_SUFFIX)
-	JAVA_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVA_FLAGS += $(JDK_DEBUG_OPT)
-	JAVA_FLAGS += $(JDK_CLASSPATH_OPT)
-	JAVA_FLAGS += $(JDK_INIT_HEAP_OPT)
-	JAVA_FLAGS += $(JDK_JIT_OPT)
-	JAVA        = $(JAVA_PROG) $(JAVA_FLAGS) 
-endif
-
-#
-# (4) javac
-#
-
-ifeq ($(JAVAC),)
-	JAVAC_PROG   = $(JAVA_HOME)/bin/javac$(PROG_SUFFIX)
-	JAVAC_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAC_FLAGS += $(JDK_OPTIMIZER_OPT)
-	JAVAC_FLAGS += $(JDK_DEBUG_OPT)
-	JAVAC_FLAGS += $(JDK_CLASSPATH_OPT)
-	JAVAC_FLAGS += -J$(JDK_INIT_HEAP_OPT)
-	JAVAC_FLAGS += $(JDK_CLASS_REPOSITORY_OPT)
-	JAVAC        = $(JAVAC_PROG) $(JAVAC_FLAGS)
-endif
-
-#
-# (5) javadoc
-#
-
-ifeq ($(JAVADOC),)
-	JAVADOC_PROG   = $(JAVA_HOME)/bin/javadoc$(PROG_SUFFIX)
-	JAVADOC_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVADOC_FLAGS += $(JDK_CLASSPATH_OPT)
-	JAVADOC_FLAGS += -J$(JDK_INIT_HEAP_OPT)
-	JAVADOC        = $(JAVADOC_PROG) $(JAVADOC_FLAGS)
-endif
-
-#
-# (6) javah
-#
-
-ifeq ($(JAVAH),)
-	JAVAH_PROG   = $(JAVA_HOME)/bin/javah$(PROG_SUFFIX)
-	JAVAH_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAH_FLAGS += $(JDK_CLASSPATH_OPT)
-	JAVAH        = $(JAVAH_PROG) $(JAVAH_FLAGS)
-endif
-
-#
-# (7) javakey
-#
-
-ifeq ($(JAVAKEY),)
-	JAVAKEY_PROG   = $(JAVA_HOME)/bin/javakey$(PROG_SUFFIX)
-	JAVAKEY_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAKEY        = $(JAVAKEY_PROG) $(JAVAKEY_FLAGS)
-endif
-
-#
-# (8) javap
-#
-
-ifeq ($(JAVAP),)
-	JAVAP_PROG   = $(JAVA_HOME)/bin/javap$(PROG_SUFFIX)
-	JAVAP_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAP_FLAGS += $(JDK_CLASSPATH_OPT)
-	JAVAP_FLAGS += -J$(JDK_INIT_HEAP_OPT)
-	JAVAP        = $(JAVAP_PROG) $(JAVAP_FLAGS)
-endif
-
-#
-# (9) javat
-#
-
-ifeq ($(JAVAT),)
-	JAVAT_PROG   = $(JAVA_HOME)/bin/javat$(PROG_SUFFIX)
-	JAVAT_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAT        = $(JAVAT_PROG) $(JAVAT_FLAGS)
-endif
-
-#
-# (10) javaverify
-#
-
-ifeq ($(JAVAVERIFY),)
-	JAVAVERIFY_PROG   = $(JAVA_HOME)/bin/javaverify$(PROG_SUFFIX)
-	JAVAVERIFY_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JAVAVERIFY        = $(JAVAVERIFY_PROG) $(JAVAVERIFY_FLAGS)
-endif
-
-#
-# (11) javaw
-#
-
-ifeq ($(JAVAW),)
-	jJAVAW_PROG   = $(JAVA_HOME)/bin/javaw$(PROG_SUFFIX)
-	jJAVAW_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	jJAVAW_FLAGS += $(JDK_DEBUG_OPT)
-	jJAVAW_FLAGS += $(JDK_CLASSPATH_OPT)
-	jJAVAW_FLAGS += $(JDK_INIT_HEAP_OPT)
-	jJAVAW_FLAGS += $(JDK_JIT_OPT)
-	jJAVAW        = $(JAVAW_PROG) $(JAVAW_FLAGS)
-endif
-
-#
-# (12) jdb
-#
-
-ifeq ($(JDB),)
-	JDB_PROG   = $(JAVA_HOME)/bin/jdb$(PROG_SUFFIX)
-	JDB_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JDB_FLAGS += $(JDK_DEBUG_OPT)
-	JDB_FLAGS += $(JDK_CLASSPATH_OPT)
-	JDB_FLAGS += $(JDK_INIT_HEAP_OPT)
-	JDB_FLAGS += $(JDK_JIT_OPT)
-	JDB        = $(JDB_PROG) $(JDB_FLAGS)
-endif
-
-#
-# (13) jre
-#
-
-ifeq ($(JRE),)
-	JRE_PROG   = $(JAVA_HOME)/bin/jre$(PROG_SUFFIX)
-	JRE_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JRE_FLAGS += $(JDK_CLASSPATH_OPT)
-	JRE_FLAGS += $(JDK_INIT_HEAP_OPT)
-	JRE_FLAGS += $(JDK_JIT_OPT)
-	JRE        = $(JRE_PROG) $(JRE_FLAGS) 
-endif
-
-#
-# (14) jrew
-#
-
-ifeq ($(JREW),)
-	JREW_PROG   = $(JAVA_HOME)/bin/jrew$(PROG_SUFFIX)
-	JREW_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	JREW_FLAGS += $(JDK_CLASSPATH_OPT)
-	JREW_FLAGS += $(JDK_INIT_HEAP_OPT)
-	JREW_FLAGS += $(JDK_JIT_OPT)
-	JREW        = $(JREW_PROG) $(JREW_FLAGS) 
-endif
-
-#
-# (15) native2ascii
-#
-
-ifeq ($(NATIVE2ASCII),)
-	NATIVE2ASCII_PROG   = $(JAVA_HOME)/bin/native2ascii$(PROG_SUFFIX)
-	NATIVE2ASCII_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	NATIVE2ASCII        = $(NATIVE2ASCII_PROG) $(NATIVE2ASCII_FLAGS) 
-endif
-
-#
-# (16) rmic
-#
-
-ifeq ($(RMIC),)
-	RMIC_PROG   = $(JAVA_HOME)/bin/rmic$(PROG_SUFFIX)
-	RMIC_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	RMIC_FLAGS += $(JDK_OPTIMIZER_OPT)
-	RMIC_FLAGS += $(JDK_CLASSPATH_OPT)
-	RMIC        = $(RMIC_PROG) $(RMIC_FLAGS) 
-endif
-
-#
-# (17) rmiregistry
-#
-
-ifeq ($(RMIREGISTRY),)
-	RMIREGISTRY_PROG   = $(JAVA_HOME)/bin/rmiregistry$(PROG_SUFFIX)
-	RMIREGISTRY_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	RMIREGISTRY        = $(RMIREGISTRY_PROG) $(RMIREGISTRY_FLAGS) 
-endif
-
-#
-# (18) serialver
-#
-
-ifeq ($(SERIALVER),)
-	SERIALVER_PROG   = $(JAVA_HOME)/bin/serialver$(PROG_SUFFIX)
-	SERIALVER_FLAGS  = $(JDK_THREADING_MODEL_OPT)
-	SERIALVER        = $(SERIALVER_PROG) $(SERIALVER_FLAGS) 
-endif
- 
-endif
diff --git a/security/coreconf/jniregen.pl b/security/coreconf/jniregen.pl
deleted file mode 100755
index 607eaf68b..000000000
--- a/security/coreconf/jniregen.pl
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/local/bin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-# Input: -d dir foo1 foo2 . . .
-#        Compares generated "_jni/foo1.h" file with "foo1.class", and
-#        generated "_jni/foo2.h" file with "foo2.class", etc.
-#        (NOTE:  unlike its closely related cousin, outofdate.pl,
-#                the "-d dir" must always be specified)
-#
-# Returns: list of headers which are OLDER than corresponding class
-#          files (non-existant class files are considered to be real old :-)
-
-$found = 1;
-
-if ($ARGV[0] eq '-d')
-{
-    $classdir = $ARGV[1];
-    $classdir .= "/";
-    shift;
-    shift;
-}
-else
-{
-    print STDERR "Usage:  perl ", $0, " -d dir foo1 foo2 . . .\n";
-    exit -1;
-}
-
-foreach $filename (@ARGV)
-{
-    $headerfilename = "_jni/";
-    $headerfilename .= $filename;
-    $headerfilename =~ s/\./_/g;
-    $headerfilename .= ".h";
-
-    $classfilename = $filename;
-    $classfilename =~ s|\.|/|g;
-    $classfilename .= ".class";
-
-    $classfilename = $classdir . $classfilename;
-
-
-    ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $headermtime,
-      $ctime, $blksize, $blocks ) = stat( $headerfilename );
-
-    ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $classmtime,
-      $ctime, $blksize, $blocks ) = stat( $classfilename );
-
-    if( $headermtime < $classmtime )
-    {
-	# NOTE:  Since this is used by "javah", and "javah" refuses to overwrite
-	#        an existing file, we force an unlink from this script, since
-	#        we actually want to regenerate the header file at this time.
-	unlink $headerfilename;
-        print $filename, " ";
-        $found = 0;
-    }
-}
-
-print "\n";
-exit 0;
-
diff --git a/security/coreconf/location.mk b/security/coreconf/location.mk
deleted file mode 100644
index a0b25f74c..000000000
--- a/security/coreconf/location.mk
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" macros to figure out binary code location  #
-#######################################################################
-
-#
-# Figure out where the binary code lives.
-#
-
-BUILD         = $(PLATFORM)
-OBJDIR        = $(PLATFORM)
-ifdef MOZILLA_SECURITY_BUILD
-DIST          = $(CORE_DEPTH)/../dist/$(PLATFORM)
-else
-ifdef MOZILLA_CLIENT
-DIST          = $(CORE_DEPTH)/../mozilla/dist/$(PLATFORM)
-else
-DIST          = $(CORE_DEPTH)/dist/$(PLATFORM)
-endif
-endif
-VPATH         = $(NSINSTALL_DIR)/$(PLATFORM)
-DEPENDENCIES  = $(PLATFORM)/.md
-
-ifdef BUILD_DEBUG_GC
-	DEFINES += -DDEBUG_GC
-endif
-
-GARBAGE += $(DEPENDENCIES) core $(wildcard core.[0-9]*)
diff --git a/security/coreconf/makefile.win b/security/coreconf/makefile.win
deleted file mode 100644
index c3abce76b..000000000
--- a/security/coreconf/makefile.win
+++ /dev/null
@@ -1,100 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# An NMAKE file to set up and adjust coreconf's build system for
-# Client build.  Client build should invoke NMAKE on this file
-# instead of invoking gmake directly.
-#
-
-NS_DEPTH = ..
-include <$(NS_DEPTH)\config\config.mak>
-#include <$(NS_DEPTH)\config\rules.mak>
-
-#
-# Backslashes are escape characters to gmake, so flip all backslashes
-# in $(MOZ_TOOLS) to forward slashes and pass that to gmake.
-#
-
-GMAKE = $(MOZ_TOOLS)\bin\gmake.exe MOZ_TOOLS_FLIPPED=$(MOZ_TOOLS:\=/)
-
-GMAKE = $(GMAKE) PR_CLIENT_BUILD=1 PR_CLIENT_BUILD_WINDOWS=1
-
-#
-# The Client's debug build uses MSVC's debug runtime library (/MDd).
-#
-
-!ifdef MOZ_DEBUG
-GMAKE = $(GMAKE) USE_DEBUG_RTL=1
-!else
-GMAKE = $(GMAKE) BUILD_OPT=1
-!endif
-
-!if "$(MOZ_BITS)" == "16"
-GMAKE = $(GMAKE) OS_TARGET=WIN16
-!else
-
-GMAKE = $(GMAKE) OS_TARGET=WIN95
-!ifdef MOZ_DEBUG
-PR_OBJDIR = WIN954.0_DBG.OBJD
-!else
-PR_OBJDIR = WIN954.0_OPT.OBJ
-!endif
-
-!endif
-
-#
-# The rules.  Simply invoke gmake with the same target
-# for Win16, use the watcom compiler with the MSVC headers and libs
-#
-
-# this rule is needed so that nmake with no explicit target will only build
-# all, and not build all the targets named below in succession!
-default:: all
-
-# a rule like this one must only be used for explicitly named targets!
-all depend export libs install clobber clobber_all clean::
-!if "$(MOZ_BITS)" == "16"
-	set PATH=%WATCPATH%
-	set INCLUDE=%MSVC_INC%
-	set LIB=%MSVC_LIB%
-!endif
-	$(GMAKE) $@
-!if "$(MOZ_BITS)" == "16"
-	set PATH=%MSVCPATH%
-	set INCLUDE=%MSVC_INC%
-	set LIB=%MSVC_LIB%
-!endif
-
-show:
-	@echo "MAKEFLAGS = $(MAKEFLAGS)"
diff --git a/security/coreconf/module.mk b/security/coreconf/module.mk
deleted file mode 100644
index 55f7f8691..000000000
--- a/security/coreconf/module.mk
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# The master "Core Components" source and release component directory #
-# names are ALWAYS identical and are the value of $(MODULE).          #
-# NOTE:  A component is also called a module or a subsystem.          #
-#######################################################################
-
-#
-#  All "Core Components" <component>-specific source-side tags must
-#  always be identified for compiling/linking purposes
-#
-
-ifndef JAVA_SOURCE_COMPONENT
-	JAVA_SOURCE_COMPONENT = java
-endif
-
-ifndef NETLIB_SOURCE_COMPONENT
-	NETLIB_SOURCE_COMPONENT = netlib
-endif
-
-ifndef NSPR_SOURCE_COMPONENT
-	NSPR_SOURCE_COMPONENT = nspr20
-endif
-
-ifndef SECTOOLS_SOURCE_COMPONENT
-	SECTOOLS_SOURCE_COMPONENT = sectools
-endif
-
-ifndef SECURITY_SOURCE_COMPONENT
-	SECURITY_SOURCE_COMPONENT = security
-endif
-
diff --git a/security/coreconf/nsinstall/Makefile b/security/coreconf/nsinstall/Makefile
deleted file mode 100644
index 2175b2d87..000000000
--- a/security/coreconf/nsinstall/Makefile
+++ /dev/null
@@ -1,59 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-MODULE		= coreconf
-
-CSRCS		= nsinstall.c pathsub.c
-
-PLSRCS		= nfspwd.pl
-
-PROGRAM		= nsinstall
-
-include $(DEPTH)/coreconf/config.mk
-
-ifeq ($(OS_ARCH),WINNT)
-PROGRAM		=
-else
-TARGETS		= $(PROGRAM) $(PLSRCS:.pl=)
-endif
-
-include $(DEPTH)/coreconf/rules.mk
-
-# Redefine MAKE_OBJDIR for just this directory
-define MAKE_OBJDIR
-if test ! -d $(@D); then rm -rf $(@D); mkdir $(@D); fi
-endef
-
diff --git a/security/coreconf/nsinstall/nfspwd b/security/coreconf/nsinstall/nfspwd
deleted file mode 100755
index 339abead3..000000000
--- a/security/coreconf/nsinstall/nfspwd
+++ /dev/null
@@ -1,46 +0,0 @@
-#! perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-require "fastcwd.pl";
-
-$_ = &fastcwd;
-if (m@^/[uh]/@o || s@^/tmp_mnt/@/@o) {
-    print("$_\n");
-} elsif ((($user, $rest) = m@^/usr/people/(\w+)/(.*)@o)
-      && readlink("/u/$user") eq "/usr/people/$user") {
-    print("/u/$user/$rest\n");
-} else {
-    chop($host = `hostname`);
-    print("/h/$host$_\n");
-}
diff --git a/security/coreconf/nsinstall/nfspwd.pl b/security/coreconf/nsinstall/nfspwd.pl
deleted file mode 100644
index 339abead3..000000000
--- a/security/coreconf/nsinstall/nfspwd.pl
+++ /dev/null
@@ -1,46 +0,0 @@
-#! perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-require "fastcwd.pl";
-
-$_ = &fastcwd;
-if (m@^/[uh]/@o || s@^/tmp_mnt/@/@o) {
-    print("$_\n");
-} elsif ((($user, $rest) = m@^/usr/people/(\w+)/(.*)@o)
-      && readlink("/u/$user") eq "/usr/people/$user") {
-    print("/u/$user/$rest\n");
-} else {
-    chop($host = `hostname`);
-    print("/h/$host$_\n");
-}
diff --git a/security/coreconf/nsinstall/nsinstall.c b/security/coreconf/nsinstall/nsinstall.c
deleted file mode 100644
index b404fdd73..000000000
--- a/security/coreconf/nsinstall/nsinstall.c
+++ /dev/null
@@ -1,403 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
-** Netscape portable install command.
-*/
-#include <stdio.h>  /* OSF/1 requires this before grp.h, so put it first */
-#include <assert.h>
-#include <fcntl.h>
-#include <string.h>
-#if defined(_WINDOWS)
-#include <windows.h>
-typedef unsigned int mode_t;
-#else
-#include <grp.h>
-#include <pwd.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <utime.h>
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include "pathsub.h"
-
-#define HAVE_LCHOWN
-
-#if defined(AIX) || defined(BSDI) || defined(HPUX) || defined(LINUX) || defined(SUNOS4) || defined(SCO) || defined(UNIXWARE)
-#undef HAVE_LCHOWN
-#endif
-
-#ifdef LINUX
-#include <getopt.h>
-#endif
-
-#if defined(SCO) || defined(UNIXWARE) || defined(SNI) || defined(NCR) || defined(NEC)
-#if !defined(S_ISLNK) && defined(S_IFLNK)
-#define S_ISLNK(a)	(((a) & S_IFMT) == S_IFLNK)
-#endif
-#endif
-
-#if defined(SNI)
-extern int fchmod(int fildes, mode_t mode);
-#endif
-
-static void
-usage(void)
-{
-    fprintf(stderr,
-	"usage: %s [-C cwd] [-L linkprefix] [-m mode] [-o owner] [-g group]\n"
-	"       %*s [-DdltR] file [file ...] directory\n",
-	program, strlen(program), "");
-    exit(2);
-}
-
-/* this is more-or-less equivalent to mkdir -p */
-static int
-mkdirs(char *path, mode_t mode)
-{
-    char *      cp;
-    int         rv;
-    struct stat sb;
-    
-    if (!path || !path[0]) 
-	fail("Null pointer or empty string passed to mkdirs()");
-    while (*path == '/' && path[1] == '/')
-	path++;
-    while ((cp = strrchr(path, '/')) && cp[1] == '\0')
-	*cp = '\0';
-    if (cp && cp != path) {
-	*cp = '\0';
-	if ((stat(path, &sb) < 0 || !S_ISDIR(sb.st_mode)) &&
-	    mkdirs(path, mode) < 0) {
-	    return -1;
-	}
-	*cp = '/';
-    }
-    rv = mkdir(path, mode);
-    if (rv) {
-	if (errno != EEXIST)
-	    fail("mkdirs cannot make %s", path);
-	fprintf(stderr, "directory creation race: %s\n", path);
-	if (!stat(path, &sb) && S_ISDIR(sb.st_mode)) 
-	    rv = 0;
-    }
-    return rv;
-}
-
-static uid_t
-touid(char *owner)
-{
-    struct passwd *pw;
-    uid_t uid;
-    char *cp;
-
-    if (!owner || !owner[0]) 
-	fail("Null pointer or empty string passed to touid()");
-    pw = getpwnam(owner);
-    if (pw)
-	return pw->pw_uid;
-    uid = strtol(owner, &cp, 0);
-    if (uid == 0 && cp == owner)
-	fail("cannot find uid for %s", owner);
-    return uid;
-}
-
-static gid_t
-togid(char *group)
-{
-    struct group *gr;
-    gid_t gid;
-    char *cp;
-
-    if (!group || !group[0]) 
-	fail("Null pointer or empty string passed to togid()");
-    gr = getgrnam(group);
-    if (gr)
-	return gr->gr_gid;
-    gid = strtol(group, &cp, 0);
-    if (gid == 0 && cp == group)
-	fail("cannot find gid for %s", group);
-    return gid;
-}
-
-void * const uninit = (void *)0xdeadbeef;
-
-int
-main(int argc, char **argv)
-{
-    char *	base		= uninit;
-    char *	bp		= uninit;
-    char *	cp		= uninit;
-    char *	cwd		= 0;
-    char *	group		= 0;
-    char *	linkname	= 0;
-    char *	linkprefix	= 0;
-    char *	name		= uninit;
-    char *	owner		= 0;
-    char *	todir		= uninit;
-    char *	toname		= uninit;
-
-    int 	bnlen		= -1;
-    int 	cc		= 0;
-    int 	dodir		= 0;
-    int 	dolink		= 0;
-    int 	dorelsymlink	= 0;
-    int 	dotimes		= 0;
-    int 	exists		= 0;
-    int 	fromfd		= -1;
-    int 	len		= -1;
-    int 	lplen		= 0;
-    int		onlydir		= 0;
-    int 	opt		= -1;
-    int 	tdlen		= -1;
-    int 	tofd		= -1;
-    int 	wc		= -1;
-
-    mode_t 	mode		= 0755;
-
-    uid_t 	uid		= -1;
-    gid_t 	gid		= -1;
-
-    struct stat sb;
-    struct stat tosb;
-    struct utimbuf utb;
-    char 	buf[BUFSIZ];
-
-    program = strrchr(argv[0], '/');
-    if (!program)
-	program = strrchr(argv[0], '\\');
-    program = program ? program+1 : argv[0];
-
-
-    while ((opt = getopt(argc, argv, "C:DdlL:Rm:o:g:t")) != EOF) {
-	switch (opt) {
-	  case 'C': cwd = optarg;	break;
-	  case 'D': onlydir = 1; 	break;
-	  case 'd': dodir = 1; 		break;
-	  case 'l': dolink = 1;		break;
-	  case 'L':
-	    linkprefix = optarg;
-	    lplen = strlen(linkprefix);
-	    dolink = 1;
-	    break;
-	  case 'R': dolink = dorelsymlink = 1; break;
-	  case 'm':
-	    mode = strtoul(optarg, &cp, 8);
-	    if (mode == 0 && cp == optarg)
-		usage();
-	    break;
-	  case 'o': owner = optarg; 	break;
-	  case 'g': group = optarg; 	break;
-	  case 't': dotimes = 1; 	break;
-	  default:  usage();
-	}
-    }
-
-    argc -= optind;
-    argv += optind;
-    if (argc < 2 - onlydir)
-	usage();
-
-    todir = argv[argc-1];
-    if ((stat(todir, &sb) < 0 || !S_ISDIR(sb.st_mode)) &&
-	mkdirs(todir, 0777) < 0) {
-	fail("cannot mkdir -p %s", todir);
-    }
-    if (onlydir)
-	return 0;
-
-    if (!cwd) {
-	cwd = getcwd(0, PATH_MAX);
-	if (!cwd)
-	    fail("could not get CWD");
-    }
-
-    /* make sure we can get into todir. */
-    xchdir(todir);
-    todir = getcwd(0, PATH_MAX);
-    if (!todir)
-	fail("could not get CWD in todir");
-    tdlen = strlen(todir);
-
-    /* back to original directory. */
-    xchdir(cwd);
-
-    uid = owner ? touid(owner) : -1;
-    gid = group ? togid(group) : -1;
-
-    while (--argc > 0) {
-	name   = *argv++;
-	len    = strlen(name);
-	base   = xbasename(name);
-	bnlen  = strlen(base);
-	toname = (char*)xmalloc(tdlen + 1 + bnlen + 1);
-	sprintf(toname, "%s/%s", todir, base);
-retry:
-	exists = (lstat(toname, &tosb) == 0);
-
-	if (dodir) {
-	    /* -d means create a directory, always */
-	    if (exists && !S_ISDIR(tosb.st_mode)) {
-		int rv = unlink(toname);
-		if (rv)
-		    fail("cannot unlink %s", toname);
-		exists = 0;
-	    }
-	    if (!exists && mkdir(toname, mode) < 0) {
-	    	/* we probably have two nsinstall programs in a race here. */
-		if (errno == EEXIST && !stat(toname, &sb) && 
-		    S_ISDIR(sb.st_mode)) {
-		    fprintf(stderr, "directory creation race: %s\n", toname);
-		    goto retry;
-	    	}
-		fail("cannot make directory %s", toname);
-	    }
-	    if ((owner || group) && chown(toname, uid, gid) < 0)
-		fail("cannot change owner of %s", toname);
-	} else if (dolink) {
-	    if (*name == '/') {
-		/* source is absolute pathname, link to it directly */
-		linkname = 0;
-	    } else {
-		if (linkprefix) {
-		    /* -L implies -l and prefixes names with a $cwd arg. */
-		    len += lplen + 1;
-		    linkname = (char*)xmalloc(len + 1);
-		    sprintf(linkname, "%s/%s", linkprefix, name);
-		} else if (dorelsymlink) {
-		    /* Symlink the relative path from todir to source name. */
-		    linkname = (char*)xmalloc(PATH_MAX);
-
-		    if (*todir == '/') {
-			/* todir is absolute: skip over common prefix. */
-			lplen = relatepaths(todir, cwd, linkname);
-			strcpy(linkname + lplen, name);
-		    } else {
-			/* todir is named by a relative path: reverse it. */
-			reversepath(todir, name, len, linkname);
-			xchdir(cwd);
-		    }
-
-		    len = strlen(linkname);
-		}
-		name = linkname;
-	    }
-
-	    /* Check for a pre-existing symlink with identical content. */
-	    if (exists &&
-		(!S_ISLNK(tosb.st_mode) ||
-		 readlink(toname, buf, sizeof buf) != len ||
-		 strncmp(buf, name, len) != 0)) {
-		int rmrv;
-		rmrv = (S_ISDIR(tosb.st_mode) ? rmdir : unlink)(toname);
-		if (rmrv < 0) {
-		    fail("destination exists, cannot remove %s", toname);
-		}
-		exists = 0;
-	    }
-	    if (!exists && symlink(name, toname) < 0) {
-		if (errno == EEXIST) {
-		    fprintf(stderr, "symlink creation race: %s\n", toname);
-		    goto retry;
-		}
-		diagnosePath(toname);
-		fail("cannot make symbolic link %s", toname);
-	    }
-#ifdef HAVE_LCHOWN
-	    if ((owner || group) && lchown(toname, uid, gid) < 0)
-		fail("cannot change owner of %s", toname);
-#endif
-
-	    if (linkname) {
-		free(linkname);
-		linkname = 0;
-	    }
-	} else {
-	    /* Copy from name to toname, which might be the same file. */
-	    fromfd = open(name, O_RDONLY);
-	    if (fromfd < 0 || fstat(fromfd, &sb) < 0)
-		fail("cannot access %s", name);
-	    if (exists && 
-	        (!S_ISREG(tosb.st_mode) || access(toname, W_OK) < 0)) {
-		int rmrv;
-		rmrv = (S_ISDIR(tosb.st_mode) ? rmdir : unlink)(toname);
-		if (rmrv < 0) {
-		    fail("destination exists, cannot remove %s", toname);
-		}
-	    }
-	    tofd = open(toname, O_CREAT | O_WRONLY, 0666);
-	    if (tofd < 0)
-		fail("cannot create %s", toname);
-
-	    bp = buf;
-	    while ((cc = read(fromfd, bp, sizeof buf)) > 0) {
-		while ((wc = write(tofd, bp, cc)) > 0) {
-		    if ((cc -= wc) == 0)
-			break;
-		    bp += wc;
-		}
-		if (wc < 0)
-		    fail("cannot write to %s", toname);
-	    }
-	    if (cc < 0)
-		fail("cannot read from %s", name);
-
-	    if (ftruncate(tofd, sb.st_size) < 0)
-		fail("cannot truncate %s", toname);
-	    if (dotimes) {
-		utb.actime = sb.st_atime;
-		utb.modtime = sb.st_mtime;
-		if (utime(toname, &utb) < 0)
-		    fail("cannot set times of %s", toname);
-	    }
-	    if (fchmod(tofd, mode) < 0)
-		fail("cannot change mode of %s", toname);
-	    if ((owner || group) && fchown(tofd, uid, gid) < 0)
-		fail("cannot change owner of %s", toname);
-
-	    /* Must check for delayed (NFS) write errors on close. */
-	    if (close(tofd) < 0)
-		fail("close reports write error on %s", toname);
-	    close(fromfd);
-	}
-
-	free(toname);
-    }
-
-    free(cwd);
-    free(todir);
-    return 0;
-}
-
diff --git a/security/coreconf/nsinstall/pathsub.c b/security/coreconf/nsinstall/pathsub.c
deleted file mode 100644
index 4d5728833..000000000
--- a/security/coreconf/nsinstall/pathsub.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
-** Pathname subroutines.
-*/
-#include <assert.h>
-#ifdef FREEBSD
-#include <sys/types.h>
-#endif /* FREEBSD */
-#include <dirent.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include "pathsub.h"
-#ifdef USE_REENTRANT_LIBC
-#include "libc_r.h"
-#endif /* USE_REENTRANT_LIBC */
-
-char *program;
-
-void
-fail(char *format, ...)
-{
-    int error;
-    va_list ap;
-
-#ifdef USE_REENTRANT_LIBC
-    R_STRERROR_INIT_R();
-#endif
-
-    error = errno;
-    fprintf(stderr, "%s: ", program);
-    va_start(ap, format);
-    vfprintf(stderr, format, ap);
-    va_end(ap);
-    if (error)
-
-#ifdef USE_REENTRANT_LIBC
-    R_STRERROR_R(errno);
-	fprintf(stderr, ": %s", r_strerror_r);
-#else
-	fprintf(stderr, ": %s", strerror(errno));
-#endif
-
-    putc('\n', stderr);
-    abort();
-    exit(1);
-}
-
-char *
-getcomponent(char *path, char *name)
-{
-    if (*path == '\0')
-	return 0;
-    if (*path == '/') {
-	*name++ = '/';
-    } else {
-	do {
-	    *name++ = *path++;
-	} while (*path != '/' && *path != '\0');
-    }
-    *name = '\0';
-    while (*path == '/')
-	path++;
-    return path;
-}
-
-#ifdef UNIXWARE
-/* The static buffer in Unixware's readdir is too small. */
-struct dirent * readdir(DIR *d)
-{
-    static struct dirent *buf = NULL;
-#define MAX_PATH_LEN 1024
-
-    if (buf == NULL)
-	buf = (struct dirent *)xmalloc(sizeof(struct dirent) + MAX_PATH_LEN) ;
-    return readdir_r(d, buf);
-}
-#endif
-
-/* APPARENT BUG - ignores argument "dir", uses ".." instead. */
-char *
-ino2name(ino_t ino, char *dir)
-{
-    DIR *dp;
-    struct dirent *ep;
-    char *name;
-
-    dp = opendir("..");		/* XXX */
-    if (!dp)
-	fail("cannot read parent directory");
-    for (;;) {
-	if (!(ep = readdir(dp)))
-	    fail("cannot find current directory");
-	if (ep->d_ino == ino)
-	    break;
-    }
-    name = xstrdup(ep->d_name);
-    closedir(dp);
-    return name;
-}
-
-void *
-xmalloc(size_t size)
-{
-    void *p;
-
-    if (size <= 0)
-	fail("attempted to allocate %u bytes", size);
-    p = malloc(size);
-    if (!p)
-	fail("cannot allocate %u bytes", size);
-    return p;
-}
-
-char *
-xstrdup(char *s)
-{
-    if (!s || !s[0]) 
-	fail("Null pointer or empty string passed to xstrdup()");
-    return strcpy((char*)xmalloc(strlen(s) + 1), s);
-}
-
-char *
-xbasename(char *path)
-{
-    char *cp;
-
-    if (!path || !path[0]) 
-	fail("Null pointer or empty string passed to xbasename()");
-    while ((cp = strrchr(path, '/')) && cp[1] == '\0')
-	*cp = '\0';
-    if (!cp) return path;
-    return cp + 1;
-}
-
-void
-xchdir(char *dir)
-{
-    if (!dir || !dir[0]) 
-	fail("Null pointer or empty string passed to xchdir()");
-    if (chdir(dir) < 0)
-	fail("cannot change directory to %s", dir);
-}
-
-int
-relatepaths(char *from, char *to, char *outpath)
-{
-    char *cp, *cp2;
-    int len;
-    char buf[NAME_MAX];
-
-    assert(*from == '/' && *to == '/');
-    if (!from || *from != '/')
-	fail("relatepaths: from path does not start with /");
-    if (!to || *to != '/')
-	fail("relatepaths: to   path does not start with /");
-
-    for (cp = to, cp2 = from; *cp == *cp2; cp++, cp2++)
-	if (*cp == '\0')
-	    break;
-    while (cp[-1] != '/')
-	cp--, cp2--;
-    if (cp - 1 == to) {
-	/* closest common ancestor is /, so use full pathname */
-	len = strlen(strcpy(outpath, to));
-	if (outpath[len] != '/') {
-	    outpath[len++] = '/';
-	    outpath[len] = '\0';
-	}
-    } else {
-	len = 0;
-	while ((cp2 = getcomponent(cp2, buf)) != 0) {
-	    strcpy(outpath + len, "../");
-	    len += 3;
-	}
-	while ((cp = getcomponent(cp, buf)) != 0) {
-	    sprintf(outpath + len, "%s/", buf);
-	    len += strlen(outpath + len);
-	}
-    }
-    return len;
-}
-
-void
-reversepath(char *inpath, char *name, int len, char *outpath)
-{
-    char *cp, *cp2;
-    char buf[NAME_MAX];
-    struct stat sb;
-
-    cp = strcpy(outpath + PATH_MAX - (len + 1), name);
-    cp2 = inpath;
-    while ((cp2 = getcomponent(cp2, buf)) != 0) {
-	if (strcmp(buf, ".") == 0)
-	    continue;
-	if (strcmp(buf, "..") == 0) {
-	    if (stat(".", &sb) < 0)
-		fail("cannot stat current directory");
-	    name = ino2name(sb.st_ino, "..");
-	    len = strlen(name);
-	    cp -= len + 1;
-	    strcpy(cp, name);
-	    cp[len] = '/';
-	    free(name);
-	    xchdir("..");
-	} else {
-	    cp -= 3;
-	    strncpy(cp, "../", 3);
-	    xchdir(buf);
-	}
-    }
-    strcpy(outpath, cp);
-}
-
-void
-diagnosePath(const char * path)
-{
-    char *	myPath;
-    char *      slash;
-    int		rv;
-    struct stat sb;
-    char 	buf[BUFSIZ];
-
-    if (!path || !path[0]) 
-	fail("Null pointer or empty string passed to mkdirs()");
-    myPath = strdup(path);
-    if (!myPath)
-	fail("strdup() failed!");
-    do {
-    	rv = lstat(myPath, &sb);
-	if (rv < 0) {
-	    perror(myPath);
-	} else if (S_ISLNK(sb.st_mode)) {
-	    rv = readlink(myPath, buf, sizeof buf);
-	    if (rv < 0) {
-	    	perror("readlink");
-		buf[0] = 0;
-	    } else {
-	    	buf[rv] = 0;
-	    }
-	    fprintf(stderr, "%s is a link to %s\n", myPath, buf);
-	} else if (S_ISDIR(sb.st_mode)) {
-	    fprintf(stderr, "%s is a directory\n", myPath);
-	    rv = access(myPath, X_OK);
-	    if (rv < 0) {
-	    	fprintf(stderr, "%s: no search permission\n", myPath);
-	    }
-	} else {
-	    fprintf(stderr, "%s is a file !?!\n", myPath);
-	    rv = access(myPath, F_OK);
-	    if (rv < 0) {
-	    	fprintf(stderr, "%s does not exist\n", myPath);
-	    }
-	}
-
-	/* chop path off one level. */
-	slash = strrchr(myPath, '/');
-	if (!slash)
-	    slash = strrchr(myPath, '\\');
-	if (!slash)
-	    slash = myPath;
-	*slash = 0;
-    } while (myPath[0]);
-    free(myPath);
-}
diff --git a/security/coreconf/nsinstall/sunos4.h b/security/coreconf/nsinstall/sunos4.h
deleted file mode 100644
index 9bdae872c..000000000
--- a/security/coreconf/nsinstall/sunos4.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/* 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
- */
-
-#ifndef pr_sunos4_h___
-#define pr_sunos4_h___
-
-#ifndef SVR4
-
-/*
-** Hodge podge of random missing prototypes for the Sunos4 system
-*/
-#include <stdio.h>
-#include <stdarg.h>
-#include <time.h>
-#include <limits.h>
-#include <sys/types.h>
-
-#define PATH_MAX _POSIX_PATH_MAX
-
-struct timeval;
-struct timezone;
-struct itimerval;
-struct sockaddr;
-struct stat;
-struct tm;
-
-/* ctype.h */
-extern int tolower(int);
-extern int toupper(int);
-
-/* errno.h */
-extern char *sys_errlist[];
-extern int sys_nerr;
-
-#define strerror(e) sys_errlist[((unsigned)(e) < sys_nerr) ? e : 0]
-
-extern void perror(const char *);
-
-/* getopt */
-extern char *optarg;
-extern int optind;
-extern int getopt(int argc, char **argv, char *spec);
-
-/* math.h */
-extern int srandom(long val);
-extern long random(void);
-
-/* memory.h */
-#define memmove(to,from,len) bcopy((char*)(from),(char*)(to),len)
-
-extern void bcopy(const char *, char *, int);
-
-/* signal.h */
-/*
-** SunOS4 sigaction hides interrupts by default, so we can safely define
-** SA_RESTART to 0 (HP-UX is a counter-example -- its sigaction does not
-** hide interrupts but lacks an SA_RESTART option; you must use sigvector
-** and tweak the sigcontext from within each signal handler!).
-*/
-#define SA_RESTART 0
-#define SA_SIGINFO 0
-
-/* stdio.h */
-extern int printf(const char *, ...);
-extern int fprintf(FILE *, const char *, ...);
-extern int vprintf(const char *, va_list);
-extern int vfprintf(FILE *, const char *, va_list);
-extern char *vsprintf(char *, const char *, va_list);
-extern int scanf(const char *, ...);
-extern int sscanf(const char *, const char *, ...);
-extern int fscanf(FILE *, const char *, ...);
-extern int fgetc(FILE *);
-extern int fputc(int, FILE *);
-extern int fputs(const char *, FILE *);
-extern int puts(const char *);
-extern int fread(void *, size_t, size_t, FILE *);
-extern int fwrite(const char *, int, int, FILE *);
-extern int fseek(FILE *, long, int);
-extern long ftell(FILE *);
-extern int rewind(FILE *);
-extern int fflush(FILE *);
-extern int _flsbuf(unsigned char, FILE *);
-extern int fclose(FILE *);
-extern int remove(const char *);
-extern int setvbuf(FILE *, char *, int, size_t);
-extern int system(const char *);
-extern FILE *popen(const char *, const char *);
-extern int pclose(FILE *);
-
-/* stdlib.h */
-#define strtoul strtol
-
-extern int isatty(int fildes);
-extern long strtol(const char *, char **, int);
-extern int putenv(const char *);
-extern void srand48(long);
-extern long lrand48(void);
-extern double drand48(void);
-
-/* string.h */
-extern int strcasecmp(const char *, const char *);
-extern int strncasecmp(const char *, const char *, size_t);
-extern int strcoll(const char *, const char *);
-
-/* time.h */
-extern time_t mktime(struct tm *);
-extern size_t strftime(char *, size_t, const char *, const struct tm *);
-extern int gettimeofday(struct timeval *, struct timezone *);
-extern int setitimer(int, struct itimerval *, struct itimerval *);
-extern time_t time(time_t *);
-extern time_t timegm(struct tm *);
-extern struct tm *localtime(const time_t *);
-extern struct tm *gmtime(const time_t *);
-
-/* unistd.h */
-extern int rename(const char *, const char *);
-extern int ioctl(int, int, int *arg);
-extern int connect(int, struct sockaddr *, int);
-extern int readlink(const char *, char *, int);
-extern int symlink(const char *, const char *);
-extern int ftruncate(int, off_t);
-extern int fchmod(int, mode_t);
-extern int fchown(int, uid_t, gid_t);
-extern int lstat(const char *, struct stat *);
-extern int fstat(int, struct stat *);
-extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
-extern int gethostname(char *, int);
-extern char *getwd(char *);
-extern int getpagesize(void);
-
-#endif /* SVR4 */
-
-#endif /* pr_sunos4_h___ */
diff --git a/security/coreconf/outofdate.pl b/security/coreconf/outofdate.pl
deleted file mode 100755
index 1044639e8..000000000
--- a/security/coreconf/outofdate.pl
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/usr/local/bin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#Input: [-d dir] foo1.java foo2.java
-#Compares with: foo1.class foo2.class (if -d specified, checks in 'dir', 
-#  otherwise assumes .class files in same directory as .java files)
-#Returns: list of input arguments which are newer than corresponding class
-#files (non-existant class files are considered to be real old :-)
-
-$found = 1;
-
-if ($ARGV[0] eq '-d') {
-    $classdir = $ARGV[1];
-    $classdir .= "/";
-    shift;
-    shift;
-} else {
-    $classdir = "./";
-}
-
-foreach $filename (@ARGV) {
-    $classfilename = $classdir;
-    $classfilename .= $filename;
-    $classfilename =~ s/.java$/.class/;
-    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,
-     $ctime,$blksize,$blocks) = stat($filename);
-    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$classmtime,
-     $ctime,$blksize,$blocks) = stat($classfilename);
-#    print $filename, " ", $mtime, ", ", $classfilename, " ", $classmtime, "\n";
-    if ($mtime > $classmtime) {
-        print $filename, " ";
-        $found = 0;
-    }
-}
-
-print "\n";
diff --git a/security/coreconf/platform.mk b/security/coreconf/platform.mk
deleted file mode 100644
index a4826d315..000000000
--- a/security/coreconf/platform.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" <platform> tag                             #
-#######################################################################
-
-PLATFORM = $(OBJDIR_NAME)
diff --git a/security/coreconf/prefix.mk b/security/coreconf/prefix.mk
deleted file mode 100644
index af1142afd..000000000
--- a/security/coreconf/prefix.mk
+++ /dev/null
@@ -1,88 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" for computing program prefixes             #
-#######################################################################
-
-#
-# Object prefixes
-#
-
-ifndef OBJ_PREFIX
-	OBJ_PREFIX = 
-endif
-
-#
-# Library suffixes
-#
-
-ifndef LIB_PREFIX
-	ifeq ($(OS_ARCH), WINNT)
-		LIB_PREFIX = 
-	else
-		LIB_PREFIX = lib
-	endif
-endif
-
-
-ifndef DLL_PREFIX
-	ifeq ($(OS_ARCH), WINNT)
-		DLL_PREFIX = 
-	else
-		DLL_PREFIX = lib
-	endif
-endif
-
-
-ifndef IMPORT_LIB_PREFIX
-	IMPORT_LIB_PREFIX = 
-endif
-
-
-ifndef PURE_LIB_PREFIX
-	ifeq ($(OS_ARCH), WINNT)
-		PURE_LIB_PREFIX =
-	else
-		PURE_LIB_PREFIX = purelib
-	endif
-endif
-
-#
-# Program prefixes
-#
-
-ifndef PROG_PREFIX
-	PROG_PREFIX = 
-endif
-
diff --git a/security/coreconf/release.pl b/security/coreconf/release.pl
deleted file mode 100755
index 0a16727e1..000000000
--- a/security/coreconf/release.pl
+++ /dev/null
@@ -1,136 +0,0 @@
-#! /usr/local/bin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-
-require('coreconf.pl');
-
-#######-- read in variables on command line into %var
-
-$var{ZIP} = "zip";
-
-&parse_argv;
-
- 
-######-- Do the packaging of jars.
-
-foreach $jarfile (split(/ /,$var{FILES}) ) {
-    print STDERR "---------------------------------------------\n";
-    print STDERR "Packaging jar file $jarfile....\n";
-
-    $jarinfo = $var{$jarfile};
-
-    ($jardir,$jaropts) = split(/\|/,$jarinfo);
-
-    $zipoptions = "-T";
-    if ($jaropts =~ /a/) {
-	if ($var{OS_ARCH} eq 'WINNT') {
-	    $zipoptions .= ' -ll';
-	}
-    }
-
-# don't compress jar files containing classes since some java
-# implementations do not implement decompression correctly
-	if ( ($jarfile eq 'xpclass.jar') || ($jarfile eq 'xpclass_dbg.jar') ) {
-	    $zipoptions .= ' -0';
-	}
-
-
-# just in case the directory ends in a /, remove it
-    if ($jardir =~ /\/$/) {
-	chop $jardir;
-    }
-
-    $dirdepth --;
-    
-    print STDERR "jardir = $jardir\n";
-    system("ls $jardir");
-
-    if (-d $jardir) {
-
-
-# count the number of slashes
-
-	$slashes =0;
-	
-	foreach $i (split(//,$jardir)) {
-	    if ($i =~ /\//) {
-		$slashes++;
-	    }
-	}
-
-	$dotdots =0;
-	
-	foreach $i (split(m|/|,$jardir)) {
-	    if ($i eq '..') {
-		$dotdots ++;
-	    }
-	}
-
-	$dirdepth = ($slashes +1) - (2*$dotdots);
-
-	print STDERR "changing dir $jardir\n";
-	chdir($jardir);
-	print STDERR "making dir META-INF\n";
-	mkdir("META-INF",0755);
-
-	$filelist = "";
-	opendir(DIR,".");
-	while ($_ = readdir(DIR)) {
-	    if (! ( ($_ eq '.') || ($_ eq '..'))) {
-		if ( $jaropts =~ /i/) {
-		    if (! /^include$/) {
-			$filelist .= "$_ ";
-		    }
-		}
-		else {
-		    $filelist .= "$_ ";
-		}
-	    }
-	}
-	closedir(DIR);	
-
-	print STDERR "zip $zipoptions -r $jarfile $filelist\n";
-	system("zip $zipoptions -r $jarfile $filelist");
-	rmdir("META-INF");
-	    for $i (1 .. $dirdepth) {
-	    chdir("..");
-	    print STDERR "chdir ..\n";
-	}
-    }
-    else {
-        print STDERR "Directory $jardir doesn't exist\n";
-    }
-
-}
-
diff --git a/security/coreconf/rules.mk b/security/coreconf/rules.mk
deleted file mode 100644
index 9900c4702..000000000
--- a/security/coreconf/rules.mk
+++ /dev/null
@@ -1,971 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-###                                                                 ###
-###              R U L E S   O F   E N G A G E M E N T              ###
-###                                                                 ###
-#######################################################################
-
-#######################################################################
-# Double-Colon rules for utilizing the binary release model.          #
-#######################################################################
-
-all:: export libs program install
-
-ifeq ($(AUTOCLEAN),1)
-autobuild:: clean export private_export libs program install
-else
-autobuild:: export private_export libs program install
-endif
-
-platform::
-	@echo $(OBJDIR_NAME)
-
-
-#
-# IMPORTS will always be associated with a component.  Therefore,
-# the "import" rule will always change directory to the top-level
-# of a component, and traverse the IMPORTS keyword from the
-# "manifest.mn" file located at this level only.
-#
-# note: if there is a trailing slash, the component will be appended
-#       (see import.pl - only used for xpheader.jar)
-
-import::
-	@echo "== import.pl =="
-	@perl -I$(CORE_DEPTH)/coreconf $(CORE_DEPTH)/coreconf/import.pl \
-		"RELEASE_TREE=$(RELEASE_TREE)"   \
-		"IMPORTS=$(IMPORTS)"             \
-		"VERSION=$(VERSION)" \
-		"OS_ARCH=$(OS_ARCH)"             \
-		"PLATFORM=$(PLATFORM)" \
-		"OVERRIDE_IMPORT_CHECK=$(OVERRIDE_IMPORT_CHECK)"   \
-		"ALLOW_VERSION_OVERRIDE=$(ALLOW_VERSION_OVERRIDE)" \
-		"SOURCE_RELEASE_PREFIX=$(SOURCE_RELEASE_XP_DIR)"   \
-		"SOURCE_MD_DIR=$(SOURCE_MD_DIR)"      \
-		"SOURCE_XP_DIR=$(SOURCE_XP_DIR)"      \
-		"FILES=$(IMPORT_XPCLASS_JAR) $(XPHEADER_JAR) $(MDHEADER_JAR) $(MDBINARY_JAR)" \
-		"$(IMPORT_XPCLASS_JAR)=$(IMPORT_XP_DIR)|$(IMPORT_XPCLASS_DIR)|"    \
-		"$(XPHEADER_JAR)=$(IMPORT_XP_DIR)|$(SOURCE_XP_DIR)/public/|v" \
-		"$(MDHEADER_JAR)=$(IMPORT_MD_DIR)|$(SOURCE_MD_DIR)/include|"        \
-		"$(MDBINARY_JAR)=$(IMPORT_MD_DIR)|$(SOURCE_MD_DIR)|"
-
-export::
-	+$(LOOP_OVER_DIRS)
-
-private_export::
-	+$(LOOP_OVER_DIRS)
-
-release_export::
-	+$(LOOP_OVER_DIRS)
-
-release_classes::
-	+$(LOOP_OVER_DIRS)
-
-libs program install:: $(TARGETS)
-ifdef LIBRARY
-	$(INSTALL) -m 664 $(LIBRARY) $(SOURCE_LIB_DIR)
-endif
-ifdef SHARED_LIBRARY
-	$(INSTALL) -m 775 $(SHARED_LIBRARY) $(SOURCE_LIB_DIR)
-endif
-ifdef IMPORT_LIBRARY
-	$(INSTALL) -m 775 $(IMPORT_LIBRARY) $(SOURCE_LIB_DIR)
-endif
-ifdef PURE_LIBRARY
-	$(INSTALL) -m 775 $(PURE_LIBRARY) $(SOURCE_LIB_DIR)
-endif
-ifdef PROGRAM
-	$(INSTALL) -m 775 $(PROGRAM) $(SOURCE_BIN_DIR)
-endif
-ifdef PROGRAMS
-	$(INSTALL) -m 775 $(PROGRAMS) $(SOURCE_BIN_DIR)
-endif
-	+$(LOOP_OVER_DIRS)
-
-tests::
-	+$(LOOP_OVER_DIRS)
-
-clean clobber::
-	rm -rf $(ALL_TRASH)
-	+$(LOOP_OVER_DIRS)
-
-realclean clobber_all::
-	rm -rf $(wildcard *.OBJ) dist $(ALL_TRASH)
-	+$(LOOP_OVER_DIRS)
-
-#ifdef ALL_PLATFORMS
-#all_platforms:: $(NFSPWD)
-#	@d=`$(NFSPWD)`;							\
-#	if test ! -d LOGS; then rm -rf LOGS; mkdir LOGS; fi;		\
-#	for h in $(PLATFORM_HOSTS); do					\
-#		echo "On $$h: $(MAKE) $(ALL_PLATFORMS) >& LOGS/$$h.log";\
-#		rsh $$h -n "(chdir $$d;					\
-#			     $(MAKE) $(ALL_PLATFORMS) >& LOGS/$$h.log;	\
-#			     echo DONE) &" 2>&1 > LOGS/$$h.pid &	\
-#		sleep 1;						\
-#	done
-#
-#$(NFSPWD):
-#	cd $(@D); $(MAKE) $(@F)
-#endif
-
-#######################################################################
-# Double-Colon rules for populating the binary release model.         #
-#######################################################################
-
-
-release_clean::
-	rm -rf $(SOURCE_XP_DIR)/release/$(RELEASE_MD_DIR)
-
-release:: release_clean release_export release_classes release_policy release_md release_jars release_cpdistdir
-
-release_cpdistdir::
-	@echo "== cpdist.pl =="
-	@perl -I$(CORE_DEPTH)/coreconf $(CORE_DEPTH)/coreconf/cpdist.pl \
-		"RELEASE_TREE=$(RELEASE_TREE)" \
-		"CORE_DEPTH=$(CORE_DEPTH)" \
-		"MODULE=${MODULE}" \
-		"OS_ARCH=$(OS_ARCH)" \
-		"RELEASE=$(RELEASE)" \
-		"PLATFORM=$(PLATFORM)" \
-		"RELEASE_VERSION=$(RELEASE_VERSION)" \
-		"SOURCE_RELEASE_PREFIX=$(SOURCE_RELEASE_XP_DIR)" \
-		"RELEASE_XP_DIR=$(RELEASE_XP_DIR)" \
-		"RELEASE_MD_DIR=$(RELEASE_MD_DIR)" \
-		"FILES=$(XPCLASS_JAR) $(XPCLASS_DBG_JAR) $(XPHEADER_JAR) $(MDHEADER_JAR) $(MDBINARY_JAR) XP_FILES MD_FILES" \
-		"$(XPCLASS_JAR)=$(SOURCE_RELEASE_CLASSES_DIR)|x"\
-		"$(XPCLASS_DBG_JAR)=$(SOURCE_RELEASE_CLASSES_DBG_DIR)|x"\
-		"$(XPHEADER_JAR)=$(SOURCE_RELEASE_XPHEADERS_DIR)|x" \
-		"$(MDHEADER_JAR)=$(SOURCE_RELEASE_MDHEADERS_DIR)|m" \
-		"$(MDBINARY_JAR)=$(SOURCE_RELEASE_MD_DIR)|m" \
-		"XP_FILES=$(XP_FILES)|xf" \
-		"MD_FILES=$(MD_FILES)|mf"
-
-
-# $(SOURCE_RELEASE_xxx_JAR) is a name like yyy.jar
-# $(SOURCE_RELEASE_xx_DIR)  is a name like 
-
-release_jars::
-	@echo "== release.pl =="
-	@perl -I$(CORE_DEPTH)/coreconf $(CORE_DEPTH)/coreconf/release.pl \
-		"RELEASE_TREE=$(RELEASE_TREE)" \
-		"PLATFORM=$(PLATFORM)" \
-		"OS_ARCH=$(OS_ARCH)" \
-		"RELEASE_VERSION=$(RELEASE_VERSION)" \
-		"SOURCE_RELEASE_DIR=$(SOURCE_RELEASE_DIR)" \
-		"FILES=$(XPCLASS_JAR) $(XPCLASS_DBG_JAR) $(XPHEADER_JAR) $(MDHEADER_JAR) $(MDBINARY_JAR)" \
-		"$(XPCLASS_JAR)=$(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_CLASSES_DIR)|b"\
-		"$(XPCLASS_DBG_JAR)=$(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_CLASSES_DBG_DIR)|b"\
-		"$(XPHEADER_JAR)=$(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_XPHEADERS_DIR)|a" \
-		"$(MDHEADER_JAR)=$(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_MDHEADERS_DIR)|a" \
-		"$(MDBINARY_JAR)=$(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_MD_DIR)|bi"
-
-# Rules for releasing classes.
-# We have to do some REALLY gross stuff to deal with multiple classes in one
-# file, as well as nested classes, which have a filename of the form
-# ContainingClass$NestedClass.class.
-# RELEASE_CLASSES simply performs a required patsubst on CLASSES
-# RELEASE_CLASS_PATH is RELEASE_CLASSES with the path (in ns/dist) prepended
-# RELEASE_NESTED is all the nested classes in RELEASE_CLASS_PATH.  We use a
-#   foreach and wildcard to get all the files that start out like one of the
-#   class files, then have a $.  So, for each class file, we look for file$*
-# RELEASE_FILES is the combination of RELEASE_NESTED and the class files
-#   specified by RELEASE_CLASSES which have .class appended to them.  Note that
-#   the RELEASE_NESTED don't need to have .class appended because they were
-#   read in from the wildcard as complete filenames.
-#
-# The _DBG versions are the debuggable ones.
-ifneq ($(CLASSES),)
-
-RELEASE_CLASSES := $(patsubst %,%,$(CLASSES))
-
-ifdef BUILD_OPT
-	RELEASE_CLASS_PATH := $(patsubst %,$(SOURCE_CLASSES_DIR)/$(PACKAGE)/%, $(RELEASE_CLASSES))
-	RELEASE_NESTED := $(foreach file,$(RELEASE_CLASS_PATH),$(wildcard $(file)$$*))
-	RELEASE_FILES := $(patsubst %,%.class,$(RELEASE_CLASS_PATH)) $(RELEASE_NESTED)
-else
-	RELEASE_DBG_CLASS_PATH:= $(patsubst %,$(SOURCE_CLASSES_DBG_DIR)/$(PACKAGE)/%, $(RELEASE_CLASSES))
-	RELEASE_DBG_NESTED := $(foreach file,$(RELEASE_DBG_CLASS_PATH),$(wildcard $(file)$$*))
-	RELEASE_DBG_FILES := $(patsubst %,%.class,$(RELEASE_DBG_CLASS_PATH)) $(RELEASE_DBG_NESTED)
-endif
-
-# Substitute \$ for $ so the shell doesn't choke
-ifdef BUILD_OPT
-release_classes::
-	$(INSTALL) -m 444 $(subst $$,\$$,$(RELEASE_FILES)) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_CLASSES_DIR)/$(PACKAGE)
-else
-release_classes::
-	$(INSTALL) -m 444 $(subst $$,\$$,$(RELEASE_DBG_FILES)) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_CLASSES_DBG_DIR)/$(PACKAGE)
-endif
-
-endif
-
-ifneq ($(POLICY),)
-release_policy::
-ifdef LIBRARY
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(LIBRARY)
-endif
-ifdef SHARED_LIBRARY
-ifdef COMPRESS_TARGET
-	if test -f $(SHARED_LIBRARY).bak; then 			\
-		cp $(SHARED_LIBRARY).bak $(SHARED_LIBRARY);	\
-	fi;
-endif
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(SHARED_LIBRARY)
-ifdef COMPRESS_TARGET
-	$(COMPRESS_TARGET) $(SHARED_LIBRARY)
-endif
-endif
-ifdef IMPORT_LIBRARY
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(IMPORT_LIBRARY)
-endif
-ifdef PURE_LIBRARY
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(PURE_LIBRARY)
-endif
-ifdef PROGRAM
-ifdef COMPRESS_TARGET
-	if test -f $(PROGRAM).bak; then		\
-		cp $(PROGRAM).bak $(PROGRAM);	\
-	fi;
-endif
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(PROGRAM)
-ifdef COMPRESS_TARGET
-	$(COMPRESS_TARGET) $(PROGRAM)
-endif
-endif
-ifdef PROGRAMS
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $(PROGRAMS)
-endif
-	+$(LOOP_OVER_DIRS)
-else
-release_policy::
-	+$(LOOP_OVER_DIRS)
-endif
-
-release_md::
-ifdef LIBRARY
-	$(INSTALL) -m 444 $(LIBRARY) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)
-endif
-ifdef SHARED_LIBRARY
-	$(INSTALL) -m 555 $(SHARED_LIBRARY) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)
-endif
-ifdef IMPORT_LIBRARY
-	$(INSTALL) -m 555 $(IMPORT_LIBRARY) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)
-endif
-ifdef PURE_LIBRARY
-	$(INSTALL) -m 555 $(PURE_LIBRARY) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)
-endif
-ifdef PROGRAM
-	$(INSTALL) -m 555 $(PROGRAM) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_BIN_DIR)
-endif
-ifdef PROGRAMS
-	$(INSTALL) -m 555 $(PROGRAMS) $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_BIN_DIR)
-endif
-	+$(LOOP_OVER_DIRS)
-
-
-alltags:
-	rm -f TAGS
-	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
-	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
-
-$(PROGRAM): $(OBJS) $(EXTRA_LIBS)
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH),WINNT)
-ifeq ($(OS_TARGET),WIN16)
-	echo system windows >w16link
-	echo option map >>w16link
-	echo option oneautodata >>w16link
-	echo option heapsize=32K >>w16link
-	echo debug watcom all >>w16link
-	echo name $@ >>w16link
-	echo file >>w16link
-	echo $(W16OBJS) , >>w16link
-	echo $(W16LDFLAGS) >> w16link
-	echo library >>w16link
-	echo winsock.lib >>w16link
-	$(LINK) @w16link.
-	rm w16link
-else
-	$(MKPROG) $(OBJS) -Fe$@ -link $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
-endif
-else
-	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
-endif
-ifneq ($(POLICY),)
-#ifdef COMPRESS_TARGET
-#	$(COMPRESS_TARGET)
-# We're going to cache a copy to keep around
-#	cp $(PROGRAM) $(PROGRAM).org
-#endif
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $@
-endif
-
-$(LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-	$(AR) $(OBJS)
-	$(RANLIB) $@
-
-ifeq ($(OS_TARGET), WIN16)
-$(IMPORT_LIBRARY): $(SHARED_LIBRARY)
-	wlib +$(SHARED_LIBRARY)
-endif
-
-$(SHARED_LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.1)
-	echo "#!" > $(OBJDIR)/lib$(LIBRARY_NAME)_syms
-	nm -B -C -g $(OBJS) \
-	| awk '/ [T,D] / {print $$3}' \
-	| sed -e 's/^\.//' \
-	| sort -u >> $(OBJDIR)/lib$(LIBRARY_NAME)_syms
-	$(LD) $(XCFLAGS) -o $@ $(OBJS) -bE:$(OBJDIR)/lib$(LIBRARY_NAME)_syms \
-	-bM:SRE -bnoentry $(OS_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
-else
-ifeq ($(OS_ARCH), WINNT)
-ifeq ($(OS_TARGET), WIN16)
-	echo system windows dll initinstance >w16link
-	echo option map >>w16link
-	echo option oneautodata >>w16link
-	echo option heapsize=32K >>w16link
-	echo debug watcom all >>w16link
-	echo name $@ >>w16link
-	echo file >>w16link
-	echo $(W16OBJS) >>w16link
-	echo $(W16LIBS) >>w16link
-	echo libfile libentry >>w16link
-	$(LINK) @w16link.
-	rm w16link
-else
-	$(LINK_DLL) -MAP $(DLLBASE) $(OBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS)
-endif
-else
-	$(MKSHLIB) -o $@ $(OBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
-	chmod +x $@
-endif
-endif
-ifneq ($(POLICY),)
-#ifdef COMPRESS_TARGET
-#	$(COMPRESS_TARGET)
-#	cp $@ $@.org
-#endif
-	-$(PLCYPATCH) $(PLCYPATCH_ARGS) $@
-endif
-
-$(PURE_LIBRARY):
-	rm -f $@
-ifneq ($(OS_ARCH), WINNT)
-	$(AR) $(OBJS)
-endif
-	$(RANLIB) $@
-
-ifeq ($(OS_ARCH), WINNT)
-$(RES): $(RESNAME)
-	@$(MAKE_OBJDIR)
-	$(RC) -Fo$(RES) $(RESNAME)
-	@echo $(RES) finished
-endif
-
-$(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH),WINNT)
-	$(MKPROG) $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
-else
-	$(MKPROG) -o $@ $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
-endif
-
-ifdef HAVE_PURIFY
-$(OBJDIR)/$(PROG_PREFIX)%.pure: $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH),WINNT)
-	$(PURIFY) $(CC) -Fo$@ -c $(CFLAGS) $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) $(PURELDFLAGS)
-else
-	$(PURIFY) $(CC) -o $@ $(CFLAGS) $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) $(PURELDFLAGS)
-endif
-endif
-
-WCCFLAGS1 := $(subst /,\\,$(CFLAGS))
-WCCFLAGS2 := $(subst -I,-i=,$(WCCFLAGS1))
-WCCFLAGS3 := $(subst -D,-d,$(WCCFLAGS2))
-
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH), WINNT)
-ifeq ($(OS_TARGET), WIN16)
-	echo $(WCCFLAGS3) >w16wccf
-	$(CC) -zq -fo$(OBJDIR)\\$(PROG_PREFIX)$*$(OBJ_SUFFIX)  @w16wccf $*.c
-	rm w16wccf
-else
-	$(CC) -Fo$@ -c $(CFLAGS) $*.c
-endif
-else
-	$(CC) -o $@ -c $(CFLAGS) $*.c
-endif
-
-ifneq ($(OS_ARCH), WINNT)
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.s
-	@$(MAKE_OBJDIR)
-	$(AS) -o $@ $(ASFLAGS) -c $*.s
-endif
-
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.asm
-	@$(MAKE_OBJDIR)
-	$(AS) -Fo$@ $(ASFLAGS) -c $*.asm
-
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
-	@$(MAKE_OBJDIR)
-	$(AS) -o $@ $(ASFLAGS) -c $*.S
-
-$(OBJDIR)/$(PROG_PREFIX)%: %.cpp
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH), WINNT)
-	$(CCC) -Fo$@ -c $(CFLAGS) $<
-else
-	$(CCC) -o $@ -c $(CFLAGS) $<
-endif
-
-#
-# Please keep the next two rules in sync.
-#
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
-	@$(MAKE_OBJDIR)
-	$(CCC) -o $@ -c $(CFLAGS) $*.cc
-
-$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
-	@$(MAKE_OBJDIR)
-ifdef STRICT_CPLUSPLUS_SUFFIX
-	echo "#line 1 \"$*.cpp\"" | cat - $*.cpp > $(OBJDIR)/t_$*.cc
-	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
-	rm -f $(OBJDIR)/t_$*.cc
-else
-ifeq ($(OS_ARCH),WINNT)
-	$(CCC) -Fo$@ -c $(CFLAGS) $*.cpp
-else
-	$(CCC) -o $@ -c $(CFLAGS) $*.cpp
-endif
-endif #STRICT_CPLUSPLUS_SUFFIX
-
-%.i: %.cpp
-ifeq ($(OS_TARGET), WIN16)
-	echo $(WCCFLAGS3) >w16wccf
-	$(CCC) -pl -fo=$* @w16wccf $*.cpp
-	rm w16wccf
-else
-	$(CCC) -C -E $(CFLAGS) $< > $*.i
-endif
-
-%.i: %.c
-ifeq ($(OS_TARGET), WIN16)
-	echo $(WCCFLAGS3) >w16wccf
-	$(CC) -pl -fo=$* @w16wccf $*.c
-	rm w16wccf
-else
-ifeq ($(OS_ARCH),WINNT)
-	$(CC) -C /P $(CFLAGS) $< 
-else
-	$(CC) -C -E $(CFLAGS) $< > $*.i
-endif
-endif
-
-ifneq ($(OS_ARCH), WINNT)
-%.i: %.s
-	$(CC) -C -E $(CFLAGS) $< > $*.i
-endif
-
-%: %.pl
-	rm -f $@; cp $*.pl $@; chmod +x $@
-
-%: %.sh
-	rm -f $@; cp $*.sh $@; chmod +x $@
-
-ifdef DIRS
-$(DIRS)::
-	@if test -d $@; then				\
-		set $(EXIT_ON_ERROR);			\
-		echo "cd $@; $(MAKE)";			\
-		cd $@; $(MAKE);				\
-		set +e;					\
-	else						\
-		echo "Skipping non-directory $@...";	\
-	fi;						\
-	$(CLICK_STOPWATCH)
-endif
-
-################################################################################
-# Bunch of things that extend the 'export' rule (in order):
-################################################################################
-
-$(JAVA_DESTPATH) $(JAVA_DESTPATH)/$(PACKAGE) $(JMCSRCDIR)::
-	@if test ! -d $@; then	    \
-		echo Creating $@;   \
-		rm -rf $@;	    \
-		$(NSINSTALL) -D $@; \
-	fi
-
-################################################################################
-## IDL_GEN
-
-ifneq ($(IDL_GEN),)
-
-#export::
-#	$(IDL2JAVA) $(IDL_GEN)
-
-#all:: export
-
-#clobber::
-#	rm -f $(IDL_GEN:.idl=.class)	# XXX wrong!
-
-endif
-
-################################################################################
-### JSRCS -- for compiling java files
-###
-###          NOTE:  For backwards compatibility, if $(NETLIBDEPTH) is defined,
-###                 replace $(CORE_DEPTH) with $(NETLIBDEPTH).
-###
-
-ifneq ($(JSRCS),)
-ifneq ($(JAVAC),)
-ifdef NETLIBDEPTH
-	CORE_DEPTH := $(NETLIBDEPTH)
-endif
-
-JAVA_EXPORT_SRCS=$(shell perl $(CORE_DEPTH)/coreconf/outofdate.pl $(PERLARG)	-d $(JAVA_DESTPATH)/$(PACKAGE) $(JSRCS) $(PRIVATE_JSRCS))
-
-export:: $(JAVA_DESTPATH) $(JAVA_DESTPATH)/$(PACKAGE)
-ifneq ($(JAVA_EXPORT_SRCS),)
-	$(JAVAC) $(JAVA_EXPORT_SRCS)
-endif
-
-all:: export
-
-clobber::
-	rm -f $(SOURCE_XP_DIR)/classes/$(PACKAGE)/*.class
-
-endif
-endif
-
-#
-# JDIRS -- like JSRCS, except you can give a list of directories and it will
-# compile all the out-of-date java files in those directories.
-#
-# NOTE: recursing through these can speed things up, but they also cause
-# some builds to run out of memory
-#
-# NOTE:  For backwards compatibility, if $(NETLIBDEPTH) is defined,
-#        replace $(CORE_DEPTH) with $(NETLIBDEPTH).
-#
-ifdef JDIRS
-ifneq ($(JAVAC),)
-ifdef NETLIBDEPTH
-	CORE_DEPTH := $(NETLIBDEPTH)
-endif
-
-export:: $(JAVA_DESTPATH) $(JAVA_DESTPATH)/$(PACKAGE)
-	@for d in $(JDIRS); do							\
-		if test -d $$d; then						\
-			set $(EXIT_ON_ERROR);					\
-			files=`echo $$d/*.java`;				\
-			list=`perl $(CORE_DEPTH)/coreconf/outofdate.pl $(PERLARG)	\
-				    -d $(JAVA_DESTPATH)/$(PACKAGE) $$files`;	\
-			if test "$${list}x" != "x"; then			\
-			    echo Building all java files in $$d;		\
-			    echo $(JAVAC) $$list;				\
-			    $(JAVAC) $$list;					\
-			fi;							\
-			set +e;							\
-		else								\
-			echo "Skipping non-directory $$d...";			\
-		fi;								\
-		$(CLICK_STOPWATCH);						\
-	done
-endif
-endif
-
-#
-# JDK_GEN -- for generating "old style" native methods 
-#
-# Generate JDK Headers and Stubs into the '_gen' and '_stubs' directory
-#
-# NOTE:  For backwards compatibility, if $(NETLIBDEPTH) is defined,
-#        replace $(CORE_DEPTH) with $(NETLIBDEPTH).
-#
-ifneq ($(JDK_GEN),)
-ifneq ($(JAVAH),)
-ifdef NSBUILDROOT
-	INCLUDES += -I$(JDK_GEN_DIR) -I$(SOURCE_XP_DIR)
-else
-	INCLUDES += -I$(JDK_GEN_DIR)
-endif
-
-ifdef NETLIBDEPTH
-	CORE_DEPTH := $(NETLIBDEPTH)
-endif
-
-JDK_PACKAGE_CLASSES	:= $(JDK_GEN)
-JDK_PATH_CLASSES	:= $(subst .,/,$(JDK_PACKAGE_CLASSES))
-JDK_HEADER_CLASSFILES	:= $(patsubst %,$(JAVA_DESTPATH)/%.class,$(JDK_PATH_CLASSES))
-JDK_STUB_CLASSFILES	:= $(patsubst %,$(JAVA_DESTPATH)/%.class,$(JDK_PATH_CLASSES))
-JDK_HEADER_CFILES	:= $(patsubst %,$(JDK_GEN_DIR)/%.h,$(JDK_GEN))
-JDK_STUB_CFILES		:= $(patsubst %,$(JDK_STUB_DIR)/%.c,$(JDK_GEN))
-
-$(JDK_HEADER_CFILES): $(JDK_HEADER_CLASSFILES)
-$(JDK_STUB_CFILES): $(JDK_STUB_CLASSFILES)
-
-export::
-	@echo Generating/Updating JDK headers 
-	$(JAVAH) -d $(JDK_GEN_DIR) $(JDK_PACKAGE_CLASSES)
-	@echo Generating/Updating JDK stubs
-	$(JAVAH) -stubs -d $(JDK_STUB_DIR) $(JDK_PACKAGE_CLASSES)
-ifndef NO_MAC_JAVA_SHIT
-	@if test ! -d $(CORE_DEPTH)/lib/mac/Java/; then						\
-		echo "!!! You need to have a ns/lib/mac/Java directory checked out.";		\
-		echo "!!! This allows us to automatically update generated files for the mac.";	\
-		echo "!!! If you see any modified files there, please check them in.";		\
-	fi
-	@echo Generating/Updating JDK headers for the Mac
-	$(JAVAH) -mac -d $(CORE_DEPTH)/lib/mac/Java/_gen $(JDK_PACKAGE_CLASSES)
-	@echo Generating/Updating JDK stubs for the Mac
-	$(JAVAH) -mac -stubs -d $(CORE_DEPTH)/lib/mac/Java/_stubs $(JDK_PACKAGE_CLASSES)
-endif
-endif
-endif
-
-#
-# JRI_GEN -- for generating "old style" JRI native methods
-#
-# Generate JRI Headers and Stubs into the 'jri' directory
-#
-# NOTE:  For backwards compatibility, if $(NETLIBDEPTH) is defined,
-#        replace $(CORE_DEPTH) with $(NETLIBDEPTH).
-#
-ifneq ($(JRI_GEN),)
-ifneq ($(JAVAH),)
-ifdef NSBUILDROOT
-	INCLUDES += -I$(JRI_GEN_DIR) -I$(SOURCE_XP_DIR)
-else
-	INCLUDES += -I$(JRI_GEN_DIR)
-endif
-
-ifdef NETLIBDEPTH
-	CORE_DEPTH := $(NETLIBDEPTH)
-endif
-
-JRI_PACKAGE_CLASSES	:= $(JRI_GEN)
-JRI_PATH_CLASSES	:= $(subst .,/,$(JRI_PACKAGE_CLASSES))
-JRI_HEADER_CLASSFILES	:= $(patsubst %,$(JAVA_DESTPATH)/%.class,$(JRI_PATH_CLASSES))
-JRI_STUB_CLASSFILES	:= $(patsubst %,$(JAVA_DESTPATH)/%.class,$(JRI_PATH_CLASSES))
-JRI_HEADER_CFILES	:= $(patsubst %,$(JRI_GEN_DIR)/%.h,$(JRI_GEN))
-JRI_STUB_CFILES		:= $(patsubst %,$(JRI_GEN_DIR)/%.c,$(JRI_GEN))
-
-$(JRI_HEADER_CFILES): $(JRI_HEADER_CLASSFILES)
-$(JRI_STUB_CFILES): $(JRI_STUB_CLASSFILES)
-
-export::
-	@echo Generating/Updating JRI headers 
-	$(JAVAH) -jri -d $(JRI_GEN_DIR) $(JRI_PACKAGE_CLASSES)
-	@echo Generating/Updating JRI stubs
-	$(JAVAH) -jri -stubs -d $(JRI_GEN_DIR) $(JRI_PACKAGE_CLASSES)
-ifndef NO_MAC_JAVA_SHIT
-	@if test ! -d $(CORE_DEPTH)/lib/mac/Java/; then						\
-		echo "!!! You need to have a ns/lib/mac/Java directory checked out.";		\
-		echo "!!! This allows us to automatically update generated files for the mac.";	\
-		echo "!!! If you see any modified files there, please check them in.";		\
-	fi
-	@echo Generating/Updating JRI headers for the Mac
-	$(JAVAH) -jri -mac -d $(CORE_DEPTH)/lib/mac/Java/_jri $(JRI_PACKAGE_CLASSES)
-	@echo Generating/Updating JRI stubs for the Mac
-	$(JAVAH) -jri -mac -stubs -d $(CORE_DEPTH)/lib/mac/Java/_jri $(JRI_PACKAGE_CLASSES)
-endif
-endif
-endif
-
-#
-# JNI_GEN -- for generating JNI native methods
-#
-# Generate JNI Headers into the 'jni' directory
-#
-ifneq ($(JNI_GEN),)
-ifneq ($(JAVAH),)
-JNI_HEADERS		:= $(patsubst %,$(JNI_GEN_DIR)/%.h,$(JNI_GEN))
-
-export::
-	@if test ! -d $(JNI_GEN_DIR); then						\
-		echo $(JAVAH) -jni -d $(JNI_GEN_DIR) $(JNI_GEN);			\
-		$(JAVAH) -jni -d $(JNI_GEN_DIR) $(JNI_GEN);				\
-	else										\
-		echo "Checking for out of date header files" ;                          \
-		cmd="perl $(CORE_DEPTH)/coreconf/jniregen.pl $(PERLARG)			\
-				-d $(JAVA_DESTPATH) $(JNI_GEN)";			\
-		echo $$cmd;								\
-		list=`$$cmd`;								\
-		if test "$${list}x" != "x"; then					\
-			echo $(JAVAH) -jni -d $(JNI_GEN_DIR) $$list;			\
-			$(JAVAH) -jni -d $(JNI_GEN_DIR) $$list;				\
-		fi									\
-	fi
-endif
-endif
-
-#
-# JMC_EXPORT -- for declaring which java classes are to be exported for jmc
-#
-ifneq ($(JMC_EXPORT),)
-JMC_EXPORT_PATHS	:= $(subst .,/,$(JMC_EXPORT))
-JMC_EXPORT_FILES	:= $(patsubst %,$(JAVA_DESTPATH)/$(PACKAGE)/%.class,$(JMC_EXPORT_PATHS))
-
-#
-# We're doing NSINSTALL -t here (copy mode) because calling INSTALL will pick up 
-# your NSDISTMODE and make links relative to the current directory. This is a
-# problem because the source isn't in the current directory:
-#
-export:: $(JMC_EXPORT_FILES) $(JMCSRCDIR)
-	$(NSINSTALL) -t -m 444 $(JMC_EXPORT_FILES) $(JMCSRCDIR)
-endif
-
-#
-# JMC_GEN -- for generating java modules
-#
-# Provide default export & install rules when using JMC_GEN
-#
-ifneq ($(JMC_GEN),)
-ifneq ($(JMC),)
-	INCLUDES    += -I$(JMC_GEN_DIR) -I.
-	JMC_HEADERS := $(patsubst %,$(JMC_GEN_DIR)/%.h,$(JMC_GEN))
-	JMC_STUBS   := $(patsubst %,$(JMC_GEN_DIR)/%.c,$(JMC_GEN))
-	JMC_OBJS    := $(patsubst %,$(OBJDIR)/%$(OBJ_SUFFIX),$(JMC_GEN))
-
-$(JMC_GEN_DIR)/M%.h: $(JMCSRCDIR)/%.class
-	$(JMC) -d $(JMC_GEN_DIR) -interface $(JMC_GEN_FLAGS) $(?F:.class=)
-
-$(JMC_GEN_DIR)/M%.c: $(JMCSRCDIR)/%.class
-	$(JMC) -d $(JMC_GEN_DIR) -module $(JMC_GEN_FLAGS) $(?F:.class=)
-
-$(OBJDIR)/M%$(OBJ_SUFFIX): $(JMC_GEN_DIR)/M%.h $(JMC_GEN_DIR)/M%.c
-	@$(MAKE_OBJDIR)
-	$(CC) -o $@ -c $(CFLAGS) $(JMC_GEN_DIR)/M$*.c
-
-export:: $(JMC_HEADERS) $(JMC_STUBS)
-endif
-endif
-
-#
-# Copy each element of EXPORTS to $(SOURCE_XP_DIR)/public/$(MODULE)/
-#
-PUBLIC_EXPORT_DIR = $(SOURCE_XP_DIR)/public/$(MODULE)
-ifeq ($(OS_ARCH),WINNT)
-ifeq ($(OS_TARGET),WIN16)
-PUBLIC_EXPORT_DIR = $(SOURCE_XP_DIR)/public/win16
-endif
-endif
-
-ifneq ($(EXPORTS),)
-$(PUBLIC_EXPORT_DIR)::
-	@if test ! -d $@; then	    \
-		echo Creating $@;   \
-		$(NSINSTALL) -D $@; \
-	fi
-
-export:: $(EXPORTS) $(PUBLIC_EXPORT_DIR)
-	$(INSTALL) -m 444 $(EXPORTS) $(PUBLIC_EXPORT_DIR)
-endif
-
-# Duplicate export rule for private exports, with different directories
-
-PRIVATE_EXPORT_DIR = $(SOURCE_XP_DIR)/private/$(MODULE)
-ifeq ($(OS_ARCH),WINNT)
-ifeq ($(OS_TARGET),WIN16)
-PRIVATE_EXPORT_DIR = $(SOURCE_XP_DIR)/public/win16
-endif
-endif
-
-ifneq ($(PRIVATE_EXPORTS),)
-$(PRIVATE_EXPORT_DIR)::
-	@if test ! -d $@; then	    \
-		echo Creating $@;   \
-		$(NSINSTALL) -D $@; \
-	fi
-
-private_export:: $(PRIVATE_EXPORTS) $(PRIVATE_EXPORT_DIR)
-	$(INSTALL) -m 444 $(PRIVATE_EXPORTS) $(PRIVATE_EXPORT_DIR)
-else
-private_export:: 
-	@echo There are no private exports.;
-endif
-
-##########################################################################
-###   RULES FOR RUNNING REGRESSION SUITE TESTS
-###   REQUIRES 'REGRESSION_SPEC' TO BE SET TO THE NAME OF A REGRESSION SPECFILE
-###   AND RESULTS_SUBDIR TO BE SET TO SOMETHING LIKE SECURITY/PKCS5
-##########################################################################
-
-TESTS_DIR = $(RESULTS_DIR)/$(RESULTS_SUBDIR)/$(OS_CONFIG)$(CPU_TAG)$(COMPILER_TAG)$(IMPL_STRATEGY)
-
-ifneq ($(REGRESSION_SPEC),)
-tests:: $(REGRESSION_SPEC) 
-	cd $(PLATFORM); \
-	../$(SOURCE_MD_DIR)/bin/regress$(PROG_SUFFIX) specfile=../$(REGRESSION_SPEC) progress $(EXTRA_REGRESS_OPTIONS); \
-	if test ! -d $(TESTS_DIR); then \
-		echo Creating $(TESTS_DIR);   \
-		$(NSINSTALL) -D $(TESTS_DIR); \
-	fi
-ifneq ($(BUILD_OPT),)
-	$(NSINSTALL) -m 664 $(PLATFORM)/$(REGDATE).sum $(TESTS_DIR); \
-	$(NSINSTALL) -m 664 $(PLATFORM)/$(REGDATE).htm $(TESTS_DIR); \
-	echo "Please now make sure your results files are copied to $(TESTS_DIR), "; \
-	echo "then run 'reporter specfile=$(RESULTS_DIR)/rptspec'"
-endif
-else
-tests:: 
-	@echo Error: you didn't specify REGRESSION_SPEC in your manifest.mn file!;
-endif
-
-
-# Duplicate export rule for releases, with different directories
-
-ifneq ($(EXPORTS),)
-$(SOURCE_RELEASE_XP_DIR)/include::
-	@if test ! -d $@; then	    \
-		echo Creating $@;   \
-		$(NSINSTALL) -D $@; \
-	fi
-
-release_export:: $(EXPORTS) $(SOURCE_RELEASE_XP_DIR)/include
-	$(INSTALL) -m 444 $(EXPORTS) $(SOURCE_RELEASE_XP_DIR)/include
-endif
-
-
-
-
-################################################################################
-
--include $(DEPENDENCIES)
-
-ifneq ($(OS_ARCH),WINNT)
-# Can't use sed because of its 4000-char line length limit, so resort to perl
-.DEFAULT:
-	@perl -e '                                                            \
-	    open(MD, "< $(DEPENDENCIES)");                                    \
-	    while (<MD>) {                                                    \
-		if (m@ \.*/*$< @) {                                           \
-		    $$found = 1;                                              \
-		    last;                                                     \
-		}                                                             \
-	    }                                                                 \
-	    if ($$found) {                                                    \
-		print "Removing stale dependency $< from $(DEPENDENCIES)\n";  \
-		seek(MD, 0, 0);                                               \
-		$$tmpname = "$(OBJDIR)/fix.md" . $$$$;                        \
-		open(TMD, "> " . $$tmpname);                                  \
-		while (<MD>) {                                                \
-		    s@ \.*/*$< @ @;                                           \
-		    if (!print TMD "$$_") {                                   \
-			unlink(($$tmpname));                                  \
-			exit(1);                                              \
-		    }                                                         \
-		}                                                             \
-		close(TMD);                                                   \
-		if (!rename($$tmpname, "$(DEPENDENCIES)")) {                  \
-		    unlink(($$tmpname));                                      \
-		}                                                             \
-	    } elsif ("$<" ne "$(DEPENDENCIES)") {                             \
-		print "$(MAKE): *** No rule to make target $<.  Stop.\n";     \
-		exit(1);                                                      \
-	    }'
-endif
-
-#############################################################################
-# X dependency system
-#############################################################################
-
-ifdef MKDEPENDENCIES
-
-# For Windows, $(MKDEPENDENCIES) must be -included before including rules.mk
-
-$(MKDEPENDENCIES)::
-	@$(MAKE_OBJDIR)
-	touch $(MKDEPENDENCIES) 
-	chmod u+w $(MKDEPENDENCIES) 
-#on NT, the preceeding touch command creates a read-only file !?!?!
-#which is why we have to explicitly chmod it.
-	$(MKDEPEND) -p$(OBJDIR_NAME)/ -o'$(OBJ_SUFFIX)' -f$(MKDEPENDENCIES) \
-$(NOMD_CFLAGS) $(YOPT) $(CSRCS) $(CPPSRCS) $(ASFILES)
-
-$(MKDEPEND):: $(MKDEPEND_DIR)/*.c $(MKDEPEND_DIR)/*.h
-	cd $(MKDEPEND_DIR); $(MAKE)
-
-ifdef OBJS
-depend:: $(MKDEPEND) $(MKDEPENDENCIES)
-else
-depend::
-endif
-	+$(LOOP_OVER_DIRS)
-
-dependclean::
-	rm -f $(MKDEPENDENCIES)
-	+$(LOOP_OVER_DIRS)
-
-#-include $(NSINSTALL_DIR)/$(OBJDIR)/depend.mk
-
-else
-depend::
-endif
-
-################################################################################
-# Special gmake rules.
-################################################################################
-
-#
-# Re-define the list of default suffixes, so gmake won't have to churn through
-# hundreds of built-in suffix rules for stuff we don't need.
-#
-.SUFFIXES:
-.SUFFIXES: .out .a .ln .o .obj .c .cc .C .cpp .y .l .s .S .h .sh .i .pl .class .java .html .asm
-
-#
-# Don't delete these files if we get killed.
-#
-.PRECIOUS: .java $(JDK_HEADERS) $(JDK_STUBS) $(JRI_HEADERS) $(JRI_STUBS) $(JMC_HEADERS) $(JMC_STUBS) $(JNI_HEADERS)
-
-#
-# Fake targets.  Always run these rules, even if a file/directory with that
-# name already exists.
-#
-.PHONY: all all_platforms alltags boot clean clobber clobber_all export install libs realclean release $(OBJDIR) $(DIRS)
-
diff --git a/security/coreconf/ruleset.mk b/security/coreconf/ruleset.mk
deleted file mode 100644
index 16c19bc7b..000000000
--- a/security/coreconf/ruleset.mk
+++ /dev/null
@@ -1,362 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-#                                                                     #
-# Parameters to this makefile (set these in this file):               #
-#                                                                     #
-# a)                                                                  #
-#	TARGETS	-- the target to create                               #
-#			(defaults to $LIBRARY $PROGRAM)               #
-# b)                                                                  #
-#	DIRS	-- subdirectories for make to recurse on              #
-#			(the 'all' rule builds $TARGETS $DIRS)        #
-# c)                                                                  #
-#	CSRCS, CPPSRCS -- .c and .cpp files to compile                #
-#			(used to define $OBJS)                        #
-# d)                                                                  #
-#	PROGRAM	-- the target program name to create from $OBJS       #
-#			($OBJDIR automatically prepended to it)       #
-# e)                                                                  #
-#	LIBRARY	-- the target library name to create from $OBJS       #
-#			($OBJDIR automatically prepended to it)       #
-# f)                                                                  #
-#	JSRCS	-- java source files to compile into class files      #
-#			(if you don't specify this it will default    #
-#			 to *.java)                                   #
-# g)                                                                  #
-#	PACKAGE	-- the package to put the .class files into           #
-#			(e.g. netscape/applet)                        #
-#			(NOTE: the default definition for this may be #
-#                              overridden if "jdk.mk" is included)    #
-# h)                                                                  #
-#	JMC_EXPORT -- java files to be exported for use by JMC_GEN    #
-#			(this is a list of Class names)               #
-# i)                                                                  #
-#	JRI_GEN	-- files to run through javah to generate headers     #
-#                  and stubs                                          #
-#			(output goes into the _jri sub-dir)           #
-# j)                                                                  #
-#	JMC_GEN	-- files to run through jmc to generate headers       #
-#                  and stubs                                          #
-#			(output goes into the _jmc sub-dir)           #
-# k)                                                                  #
-#	JNI_GEN	-- files to run through javah to generate headers     #
-#			(output goes into the _jni sub-dir)           #
-#                                                                     #
-#######################################################################
-
-#
-#  At this time, the CPU_TAG value is actually assigned.
-#
-
-CPU_TAG =
-
-#
-# When the processor is NOT 386-based on Windows NT, override the
-# value of $(CPU_TAG).
-#
-ifeq ($(OS_ARCH), WINNT)
-	ifneq ($(CPU_ARCH),x386)
-		CPU_TAG = _$(CPU_ARCH)
-	endif
-endif
-
-#
-# Always set CPU_TAG on Linux.
-#
-ifeq ($(OS_ARCH), Linux)
-	CPU_TAG = _$(CPU_ARCH)
-endif
-
-#
-#  At this time, the COMPILER_TAG value is actually assigned.
-#
-
-ifndef COMPILER_TAG
-ifneq ($(DEFAULT_COMPILER), $(CC))
-#
-# Temporary define for the Client; to be removed when binary release is used
-#
-	ifdef MOZILLA_CLIENT
-		COMPILER_TAG =
-	else
-		COMPILER_TAG = _$(CC)
-	endif
-else
-	COMPILER_TAG =
-endif
-endif
-
-#
-#  At this time, a default value of $(CC) is assigned to MKPROG.
-#
-
-ifeq ($(MKPROG),)
-	MKPROG = $(CC)
-endif
-
-#
-# This makefile contains rules for building the following kinds of
-# objects:
-# - (1) LIBRARY: a static (archival) library
-# - (2) SHARED_LIBRARY: a shared (dynamic link) library
-# - (3) IMPORT_LIBRARY: an import library, used only on Windows
-# - (4) PURE_LIBRARY: a library for Purify
-# - (5) PROGRAM: an executable binary
-#
-# NOTE:  The names of libraries can be generated by simply specifying
-# LIBRARY_NAME (and LIBRARY_VERSION in the case of non-static libraries).
-#
-
-ifdef LIBRARY_NAME
-	ifeq ($(OS_ARCH), WINNT)
-		#
-		# Win16 requires library names conforming to the 8.3 rule.
-		# other platforms do not.
-		#
-		LIBRARY        = $(OBJDIR)/$(LIBRARY_NAME).lib
-		ifeq ($(OS_TARGET), WIN16)
-			SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)16$(JDK_DEBUG_SUFFIX).dll
-			IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)16$(JDK_DEBUG_SUFFIX).lib
-		else
-			SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)32$(JDK_DEBUG_SUFFIX).dll
-			IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)32$(JDK_DEBUG_SUFFIX).lib
-		endif
-	else
-		LIBRARY = $(OBJDIR)/lib$(LIBRARY_NAME).$(LIB_SUFFIX)
-		ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.1)
-			SHARED_LIBRARY = $(OBJDIR)/lib$(LIBRARY_NAME)$(LIBRARY_VERSION)_shr$(JDK_DEBUG_SUFFIX).a
-		else
-			SHARED_LIBRARY = $(OBJDIR)/lib$(LIBRARY_NAME)$(LIBRARY_VERSION)$(JDK_DEBUG_SUFFIX).$(DLL_SUFFIX)
-		endif
-
-		ifdef HAVE_PURIFY
-			ifdef DSO_BACKEND
-				PURE_LIBRARY = $(OBJDIR)/purelib$(LIBRARY_NAME)$(LIBRARY_VERSION)$(JDK_DEBUG_SUFFIX).$(DLL_SUFFIX)
-			else
-				PURE_LIBRARY = $(OBJDIR)/purelib$(LIBRARY_NAME).$(LIB_SUFFIX)
-			endif
-		endif
-	endif
-endif
-
-#
-# Common rules used by lots of makefiles...
-#
-
-ifdef PROGRAM
-	PROGRAM := $(addprefix $(OBJDIR)/, $(PROGRAM)$(JDK_DEBUG_SUFFIX)$(PROG_SUFFIX))
-endif
-
-ifdef PROGRAMS
-	PROGRAMS := $(addprefix $(OBJDIR)/, $(PROGRAMS:%=%$(JDK_DEBUG_SUFFIX)$(PROG_SUFFIX)))
-endif
-
-ifndef TARGETS
-	ifeq ($(OS_ARCH), WINNT)
-		TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
-	else
-		TARGETS = $(LIBRARY) $(SHARED_LIBRARY)
-		ifdef HAVE_PURIFY
-			TARGETS += $(PURE_LIBRARY)
-		endif
-		TARGETS += $(PROGRAM)
-	endif
-endif
-
-ifndef OBJS
-	SIMPLE_OBJS = $(JRI_STUB_CFILES) \
-		$(addsuffix $(OBJ_SUFFIX), $(JMC_GEN)) \
-		$(CSRCS:.c=$(OBJ_SUFFIX)) \
-		$(CPPSRCS:.cpp=$(OBJ_SUFFIX)) \
-		$(ASFILES:$(ASM_SUFFIX)=$(OBJ_SUFFIX))
-	OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(SIMPLE_OBJS))
-endif
-
-ifeq ($(OS_TARGET), WIN16)
-	comma   := ,
-	empty   :=
-	space   := $(empty) $(empty)
-	W16OBJS := $(subst $(space),$(comma)$(space),$(strip $(OBJS)))
-	W16TEMP  = $(OS_LIBS) $(EXTRA_LIBS)
-	ifeq ($(strip $(W16TEMP)),)
-		W16LIBS =
-	else
-		W16LIBS := library $(subst $(space),$(comma)$(space),$(strip $(W16TEMP)))
-	endif
-endif
-
-ifeq ($(OS_ARCH),WINNT)
-	ifneq ($(OS_TARGET), WIN16)
-		OBJS += $(RES)
-	endif
-	MAKE_OBJDIR		= $(INSTALL) -D $(OBJDIR)
-else
-	define MAKE_OBJDIR
-	if test ! -d $(@D); then rm -rf $(@D); $(NSINSTALL) -D $(@D); fi
-	endef
-endif
-
-ifndef PACKAGE
-	PACKAGE = .
-endif
-
-ALL_TRASH :=	$(TARGETS) $(OBJS) $(OBJDIR) LOGS TAGS $(GARBAGE) \
-		$(NOSUCHFILE) $(JDK_HEADER_CFILES) $(JDK_STUB_CFILES) \
-		$(JRI_HEADER_CFILES) $(JRI_STUB_CFILES) $(JNI_HEADERS) $(JMC_STUBS) \
-		$(JMC_HEADERS) $(JMC_EXPORT_FILES) so_locations \
-		_gen _jmc _jri _jni _stubs \
-		$(wildcard $(JAVA_DESTPATH)/$(PACKAGE)/*.class)
-
-ifdef JDIRS
-	ALL_TRASH += $(addprefix $(JAVA_DESTPATH)/,$(JDIRS))
-endif
-
-ifdef NSBUILDROOT
-	JDK_GEN_DIR  = $(SOURCE_XP_DIR)/_gen
-	JMC_GEN_DIR  = $(SOURCE_XP_DIR)/_jmc
-	JNI_GEN_DIR  = $(SOURCE_XP_DIR)/_jni
-	JRI_GEN_DIR  = $(SOURCE_XP_DIR)/_jri
-	JDK_STUB_DIR = $(SOURCE_XP_DIR)/_stubs
-else
-	JDK_GEN_DIR  = _gen
-	JMC_GEN_DIR  = _jmc
-	JNI_GEN_DIR  = _jni
-	JRI_GEN_DIR  = _jri
-	JDK_STUB_DIR = _stubs
-endif
-
-#
-# If this is an "official" build, try to build everything.
-# I.e., don't exit on errors.
-#
-
-ifdef BUILD_OFFICIAL
-	EXIT_ON_ERROR		= +e
-	CLICK_STOPWATCH		= date
-else
-	EXIT_ON_ERROR		= -e
-	CLICK_STOPWATCH		= true
-endif
-
-ifdef REQUIRES
-ifeq ($(OS_TARGET),WIN16)
-	INCLUDES        += -I$(SOURCE_XP_DIR)/public/win16
-else
-	MODULE_INCLUDES := $(addprefix -I$(SOURCE_XP_DIR)/public/, $(REQUIRES))
-	INCLUDES        += $(MODULE_INCLUDES)
-	ifeq ($(MODULE), sectools)
-		PRIVATE_INCLUDES := $(addprefix -I$(SOURCE_XP_DIR)/private/, $(REQUIRES))
-		INCLUDES         += $(PRIVATE_INCLUDES)
-	endif
-endif
-endif
-
-ifdef SYSTEM_INCL_DIR
-	YOPT = -Y$(SYSTEM_INCL_DIR)
-endif
-
-ifdef DIRS
-	LOOP_OVER_DIRS		=						\
-		@for directory in $(DIRS); do					\
-			if test -d $$directory; then				\
-				set $(EXIT_ON_ERROR);				\
-				echo "cd $$directory; $(MAKE) $@";		\
-				$(MAKE) -C $$directory $@;			\
-				set +e;						\
-			else							\
-				echo "Skipping non-directory $$directory...";	\
-			fi;							\
-			$(CLICK_STOPWATCH);					\
-		done
-endif
-
-
-
-# special stuff for tests rule in rules.mk
-
-ifneq ($(OS_ARCH),WINNT)
-	REGDATE = $(subst \ ,, $(shell perl  $(CORE_DEPTH)/$(MODULE)/scripts/now))
-else
-	REGCOREDEPTH = $(subst \\,/,$(CORE_DEPTH))
-	REGDATE = $(subst \ ,, $(shell perl  $(CORE_DEPTH)/$(MODULE)/scripts/now))
-endif
-
-#
-# export control policy patcher program and arguments
-#
-
-PLCYPATCH     = $(SOURCE_BIN_DIR)/plcypatch$(PROG_SUFFIX)
-
-DOMESTIC_POLICY = -us
-EXPORT_POLICY   = -ex
-FRANCE_POLICY   = -fr
-
-ifeq ($(POLICY), domestic)
-	PLCYPATCH_ARGS = $(DOMESTIC_POLICY)
-else
-	ifeq ($(POLICY), export)
-		PLCYPATCH_ARGS = $(EXPORT_POLICY)
-	else
-		ifeq ($(POLICY), france)
-			PLCYPATCH_ARGS = $(FRANCE_POLICY)
-		else
-			PLCYPATCH_ARGS =
-		endif
-	endif
-endif
-
-#
-# Compressor for executables and DLLs on Win32.  Reduces download footprint 
-# and helps solve some export control problem.
-#
-# PKLIT32C Program must be installed to be used.  Path below is the default 
-# installation path.  No site license is available for this program.
-#
-ifeq ($(OS_ARCH), WINNT)
-ifdef BUILD_OPT
-
-PKLITE      = $(shell which PKLIT32C.EXE)
-PKLITE_ARGS = -is.rdata 
-
-#COMPRESS_TARGET = \
-#	@if test -f $(PKLITE); then \
-#	echo $(PKLITE) $(PKLITE_ARGS) $@; \
-#	$(PKLITE) $(PKLITE_ARGS) $@; fi
-ifneq ($(PKLITE), )
-COMPRESS_TARGET = pklit32c.exe $(PKLITE_ARGS)
-endif
-
-endif
-endif
diff --git a/security/coreconf/source.mk b/security/coreconf/source.mk
deleted file mode 100644
index 17f9a530d..000000000
--- a/security/coreconf/source.mk
+++ /dev/null
@@ -1,174 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master <component>-specific source import/export directories        #
-#######################################################################
-
-#
-# <user_source_tree> master import/export directory prefix
-#
-
-SOURCE_PREFIX = $(CORE_DEPTH)/dist
-ifdef MOZILLA_SECURITY_BUILD
-SOURCE_PREFIX = $(CORE_DEPTH)/../dist
-else
-ifdef MOZILLA_CLIENT
-SOURCE_PREFIX = $(CORE_DEPTH)/../mozilla/dist
-endif
-endif
-
-
-#
-# <user_source_tree> cross-platform (xp) master import/export directory
-#
-
-SOURCE_XP_DIR        = $(SOURCE_PREFIX)
-
-#
-# <user_source_tree> cross-platform (xp) import/export directories
-#
-
-SOURCE_CLASSES_DIR     = $(SOURCE_XP_DIR)/classes
-SOURCE_CLASSES_DBG_DIR = $(SOURCE_XP_DIR)/classes_DBG
-SOURCE_XPHEADERS_DIR   = $(SOURCE_XP_DIR)/public/$(MODULE)
-SOURCE_XPPRIVATE_DIR   = $(SOURCE_XP_DIR)/private/$(MODULE)
-
-ifdef BUILD_OPT
-	IMPORT_XPCLASS_DIR = $(SOURCE_CLASSES_DIR)
-else
-	IMPORT_XPCLASS_DIR = $(SOURCE_CLASSES_DBG_DIR)
-endif
-
-#
-# <user_source_tree> machine-dependent (md) master import/export directory
-#
-
-SOURCE_MD_DIR        = $(SOURCE_PREFIX)/$(PLATFORM)
-
-#
-# <user_source_tree> machine-dependent (md) import/export directories
-#
-
-SOURCE_BIN_DIR       = $(SOURCE_MD_DIR)/bin
-SOURCE_LIB_DIR       = $(SOURCE_MD_DIR)/lib
-SOURCE_MDHEADERS_DIR = $(SOURCE_MD_DIR)/include
-
-#######################################################################
-# Master <component>-specific source release directories and files    #
-#######################################################################
-
-#
-# <user_source_tree> source-side master release directory prefix
-# NOTE:  export control policy enforced for XP and MD files released to
-#        the staging area
-#
-
-ifeq ($(POLICY), domestic)
-	SOURCE_RELEASE_PREFIX = $(SOURCE_PREFIX)/release/domestic
-else
-	ifeq ($(POLICY), export)
-		SOURCE_RELEASE_PREFIX = $(SOURCE_PREFIX)/release/export
-	else
-		ifeq ($(POLICY), france)
-			SOURCE_RELEASE_PREFIX = $(SOURCE_PREFIX)/release/france
-		else
-#We shouldn't have to put another directory under here, but without it the perl
-#script for releasing doesn't find the directory. It thinks it doesn't exist.
-#So we're adding this no-policy directory so that the script for releasing works
-#in all casese when policy is not set. This doesn't affect where the final jar
-#files land, only where they are placed in the local tree when building the jar
-#files. When there is no policy, the jar files will still land in
-#<dist>/<module>/<date>/<platform> like they used to.
-			SOURCE_RELEASE_PREFIX = $(SOURCE_PREFIX)/release/no-policy
-		endif
-	endif
-endif
-
-#
-# <user_source_tree> cross-platform (xp) source-side master release directory
-#
-
-SOURCE_RELEASE_XP_DIR = $(SOURCE_RELEASE_PREFIX)
-
-#
-# <user_source_tree> cross-platform (xp) source-side release directories
-#
-
-SOURCE_RELEASE_CLASSES_DIR     = classes
-SOURCE_RELEASE_CLASSES_DBG_DIR = classes_DBG
-SOURCE_RELEASE_XPHEADERS_DIR   = include
-
-#
-# <user_source_tree> cross-platform (xp) JAR source-side release files
-#
-
-XPCLASS_JAR     = xpclass.jar
-XPCLASS_DBG_JAR = xpclass_dbg.jar
-XPHEADER_JAR    = xpheader.jar
-
-ifdef BUILD_OPT
-	IMPORT_XPCLASS_JAR = $(XPCLASS_JAR)
-else
-	IMPORT_XPCLASS_JAR = $(XPCLASS_DBG_JAR)
-endif
-
-#
-# <user_source_tree> machine-dependent (md) source-side master release directory
-#
-
-SOURCE_RELEASE_MD_DIR = $(PLATFORM)
-
-#
-# <user_source_tree> machine-dependent (md) source-side release directories
-#
-
-SOURCE_RELEASE_BIN_DIR       = $(PLATFORM)/bin
-SOURCE_RELEASE_LIB_DIR       = $(PLATFORM)/lib
-SOURCE_RELEASE_MDHEADERS_DIR = $(PLATFORM)/include
-SOURCE_RELEASE_SPEC_DIR      = $(SOURCE_RELEASE_MD_DIR)
-
-#
-# <user_source_tree> machine-dependent (md) JAR/tar source-side release files
-#
-
-MDBINARY_JAR = mdbinary.jar
-MDHEADER_JAR = mdheader.jar
-
-
-# Where to put the results
-
-ifneq ($(RESULTS_DIR),)
-	RESULTS_DIR = $(RELEASE_TREE)/sectools/results
-endif
-
diff --git a/security/coreconf/suffix.mk b/security/coreconf/suffix.mk
deleted file mode 100644
index 9c741cce1..000000000
--- a/security/coreconf/suffix.mk
+++ /dev/null
@@ -1,140 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Master "Core Components" suffixes                                   #
-#######################################################################
-
-#
-# Object suffixes
-#
-
-ifndef OBJ_SUFFIX
-	ifeq ($(OS_ARCH), WINNT)
-		OBJ_SUFFIX = .obj
-	else
-	    ifeq ($(OS_ARCH), OS2)
-		OBJ_SUFFIX = .obj
-	    else
-		OBJ_SUFFIX = .o
-	    endif
-	endif
-endif
-
-#
-# Assembler source suffixes
-#
-
-ifndef ASM_SUFFIX
-	ifeq ($(OS_ARCH), WINNT)
-		ASM_SUFFIX = .asm
-	else
-		ASM_SUFFIX = .s
-	endif
-endif
-
-#
-# Library suffixes
-#
-
-STATIC_LIB_EXTENSION =
-
-ifndef DYNAMIC_LIB_EXTENSION
-	ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.1)
-		DYNAMIC_LIB_EXTENSION = _shr
-	else
-		DYNAMIC_LIB_EXTENSION =
-	endif
-endif
-
-
-ifndef STATIC_LIB_SUFFIX
-	STATIC_LIB_SUFFIX = .$(LIB_SUFFIX)
-endif
-
-
-ifndef DYNAMIC_LIB_SUFFIX
-	DYNAMIC_LIB_SUFFIX = .$(DLL_SUFFIX)
-endif
-
-
-ifndef IMPORT_LIB_SUFFIX
-	ifeq ($(OS_ARCH), WINNT)
-		IMPORT_LIB_SUFFIX = .$(LIB_SUFFIX)
-	else
-		IMPORT_LIB_SUFFIX = 
-	endif
-endif
-
-
-ifndef PURE_LIB_SUFFIX
-	ifeq ($(OS_ARCH), WINNT)
-		PURE_LIB_SUFFIX =
-	else
-		ifdef DSO_BACKEND
-			PURE_LIB_SUFFIX = .$(DLL_SUFFIX)
-		else
-			PURE_LIB_SUFFIX = .$(LIB_SUFFIX)
-		endif
-	endif
-endif
-
-
-ifndef STATIC_LIB_SUFFIX_FOR_LINKING
-	STATIC_LIB_SUFFIX_FOR_LINKING = $(STATIC_LIB_SUFFIX)
-endif
-
-
-ifndef DYNAMIC_LIB_SUFFIX_FOR_LINKING
-	ifeq ($(OS_ARCH), WINNT)
-		DYNAMIC_LIB_SUFFIX_FOR_LINKING = $(IMPORT_LIB_SUFFIX)
-	else
-		DYNAMIC_LIB_SUFFIX_FOR_LINKING = $(DYNAMIC_LIB_SUFFIX)
-	endif
-endif
-
-#
-# Program suffixes
-#
-
-ifndef PROG_SUFFIX
-	ifeq ($(OS_ARCH), WINNT)
-		PROG_SUFFIX = .exe
-	else
-	    ifeq ($(OS_ARCH), OS2)
-		PROG_SUFFIX = .exe
-	    else
-		PROG_SUFFIX =
-	    endif
-	endif
-endif
diff --git a/security/coreconf/version.mk b/security/coreconf/version.mk
deleted file mode 100644
index b2a55d180..000000000
--- a/security/coreconf/version.mk
+++ /dev/null
@@ -1,103 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# Build master "Core Components" release version directory name       #
-#######################################################################
-
-#
-# Always set CURRENT_VERSION_SYMLINK to the <current> symbolic link.
-#
-
-CURRENT_VERSION_SYMLINK = current
-
-
-#
-#  For the sake of backwards compatibility (*sigh*) ...
-#
-
-ifndef VERSION
-	ifdef BUILD_NUM
-		VERSION = $(BUILD_NUM)
-	endif
-endif
-
-ifndef RELEASE_VERSION
-	ifdef BUILD_NUM
-		RELEASE_VERSION = $(BUILD_NUM)
-	endif
-endif
-
-#
-# If VERSION has still NOT been set on the command line,
-# as an environment variable, by the individual Makefile, or
-# by the <component>-specific "version.mk" file, set VERSION equal
-# to $(CURRENT_VERSION_SYMLINK).
-
-ifndef VERSION
-	VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
-
-# If RELEASE_VERSION has still NOT been set on the command line,
-# as an environment variable, by the individual Makefile, or
-# by the <component>-specific "version.mk" file, automatically
-# generate the next available version number via a perl script.
-# 
-
-ifndef RELEASE_VERSION
-	RELEASE_VERSION = 
-endif
-
-#
-# Set <component>-specific versions for compiliation and linkage.
-#
-
-ifndef JAVA_VERSION
-	JAVA_VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
-
-ifndef NETLIB_VERSION
-	NETLIB_VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
-
-ifndef NSPR_VERSION
-	NSPR_VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
-
-ifndef SECTOOLS_VERSION
-	SECTOOLS_VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
-
-ifndef SECURITY_VERSION
-	SECURITY_VERSION = $(CURRENT_VERSION_SYMLINK)
-endif
diff --git a/security/coreconf/version.pl b/security/coreconf/version.pl
deleted file mode 100644
index 47a71395b..000000000
--- a/security/coreconf/version.pl
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/sbin/perl
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-# Compose lowercase alphabet
-@alphabet = ( "a", "b", "c", "d", "e", "f", "g", "h",
-              "i", "j", "k", "l", "m", "n", "o", "p",
-              "q", "r", "s", "t", "u", "v", "w", "x",
-              "y", "z" );
-
-# Compute year
-$year = (localtime)[5] + 1900;
-
-# Compute month
-$month = (localtime)[4] + 1;
-
-# Compute day
-$day = (localtime)[3];
-
-# Compute base build number
-$version = sprintf( "%d%02d%02d", $year, $month, $day );
-$directory = sprintf( "%s\/%s\/%d%02d%02d", $ARGV[0], $ARGV[1], $year, $month, $day );
-
-# Print out the name of the first version directory which does not exist
-#if( ! -e  $directory )
-#{
-    print $version;
-#}
-#else
-#{
-#    # Loop through combinations
-#    foreach $ch1 (@alphabet)
-#    {
-#	foreach $ch2 (@alphabet)
-#	{
-#	    $version = sprintf( "%d%02d%02d%s%s", $year, $month, $day, $ch1, $ch2 );
-#	    $directory = sprintf( "%s\/%s\/%d%02d%02d%s%s", $ARGV[0], $ARGV[1], $year, $month, $day, $ch1, $ch2 );
-#	    if( ! -e  $directory )
-#	    {
-#		print STDOUT $version;
-#		exit;
-#	    }
-#	}
-#    }
-#}
-
diff --git a/security/nss/cmd/modutil/Makefile b/security/nss/cmd/modutil/Makefile
new file mode 100644
index 000000000..5f4321fec
--- /dev/null
+++ b/security/nss/cmd/modutil/Makefile
@@ -0,0 +1,85 @@
+#! gmake
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
+ifeq ($(OS_ARCH), WINNT)
+installparse.c:  installparse.y
+	yacc -d installparse.y
+	mv ytab.c installparse.c
+	mv ytab.h installparse.h
+else
+installparse.c:  installparse.y
+	yacc -d installparse.y
+	mv y.tab.c installparse.c
+	mv y.tab.h installparse.h
+endif
diff --git a/security/nss/cmd/modutil/installparse.c b/security/nss/cmd/modutil/installparse.c
new file mode 100644
index 000000000..5afa19ba6
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.c
@@ -0,0 +1,745 @@
+
+# line 37 "installparse.y"
+ 
+#define yyparse Pk11Install_yyparse
+#define yylex Pk11Install_yylex
+#define yyerror Pk11Install_yyerror
+#define yychar Pk11Install_yychar
+#define yyval Pk11Install_yyval
+#define yylval Pk11Install_yylval
+#define yydebug Pk11Install_yydebug
+#define yynerrs Pk11Install_yynerrs
+#define yyerrflag Pk11Install_yyerrflag
+#define yyss Pk11Install_yyss
+#define yyssp Pk11Install_yyssp
+#define yyvs Pk11Install_yyvs
+#define yyvsp Pk11Install_yyvsp
+#define yylhs Pk11Install_yylhs
+#define yylen Pk11Install_yylen
+#define yydefred Pk11Install_yydefred
+#define yydgoto Pk11Install_yydgoto
+#define yysindex Pk11Install_yysindex
+#define yyrindex Pk11Install_yyrindex
+#define yygindex Pk11Install_yygindex
+#define yytable Pk11Install_yytable
+#define yycheck Pk11Install_yycheck
+#define yyname Pk11Install_yyname
+#define yyrule Pk11Install_yyrule
+
+/* C Stuff */
+#include "install-ds.h"
+#include <prprf.h>
+
+#define YYSTYPE Pk11Install_Pointer
+extern char *Pk11Install_yytext;
+char *Pk11Install_yyerrstr=NULL;
+
+# define OPENBRACE 257
+# define CLOSEBRACE 258
+# define STRING 259
+
+#ifdef __STDC__
+#include <stdlib.h>
+#include <string.h>
+#else
+#include <malloc.h>
+#include <memory.h>
+#endif
+
+#include <values.h>
+
+#ifdef __cplusplus
+
+#ifndef yyerror
+	void yyerror(const char *);
+#endif
+
+#ifndef yylex
+#ifdef __EXTERN_C__
+	extern "C" { int yylex(void); }
+#else
+	int yylex(void);
+#endif
+#endif
+	int yyparse(void);
+
+#endif
+#define yyclearin yychar = -1
+#define yyerrok yyerrflag = 0
+extern int yychar;
+extern int yyerrflag;
+#ifndef YYSTYPE
+#define YYSTYPE int
+#endif
+YYSTYPE yylval;
+YYSTYPE yyval;
+typedef int yytabelem;
+#ifndef YYMAXDEPTH
+#define YYMAXDEPTH 150
+#endif
+#if YYMAXDEPTH > 0
+int yy_yys[YYMAXDEPTH], *yys = yy_yys;
+YYSTYPE yy_yyv[YYMAXDEPTH], *yyv = yy_yyv;
+#else	/* user does initial allocation */
+int *yys;
+YYSTYPE *yyv;
+#endif
+static int yymaxdepth = YYMAXDEPTH;
+# define YYERRCODE 256
+
+# line 117 "installparse.y"
+
+/*----------------------- Program Section --------------------------------*/
+
+/*************************************************************************/
+void
+Pk11Install_yyerror(char *message)
+{
+	char *tmp;
+	if(Pk11Install_yyerrstr) {
+		tmp=PR_smprintf("%sline %d: %s\n", Pk11Install_yyerrstr,
+			Pk11Install_yylinenum, message);
+		PR_smprintf_free(Pk11Install_yyerrstr);
+	} else {
+		tmp = PR_smprintf("line %d: %s\n", Pk11Install_yylinenum, message);
+	}
+	Pk11Install_yyerrstr=tmp;
+}
+static const yytabelem yyexca[] ={
+-1, 1,
+	0, -1,
+	-2, 0,
+-1, 5,
+	257, 7,
+	-2, 5,
+	};
+# define YYNPROD 8
+# define YYLAST 13
+static const yytabelem yyact[]={
+
+     5,    10,     8,     2,     6,     4,     3,     7,     1,     0,
+     0,     0,     9 };
+static const yytabelem yypact[]={
+
+  -259,-10000000,-10000000,  -259,-10000000,-10000000,  -255,-10000000,  -259,  -257,
+-10000000 };
+static const yytabelem yypgo[]={
+
+     0,     8,     3,     6,     5,     4 };
+static const yytabelem yyr1[]={
+
+     0,     1,     2,     2,     3,     3,     4,     5 };
+static const yytabelem yyr2[]={
+
+     0,     3,     5,     1,     3,     3,     9,     3 };
+static const yytabelem yychk[]={
+
+-10000000,    -1,    -2,    -3,    -4,   259,    -5,    -2,   257,    -2,
+   258 };
+static const yytabelem yydef[]={
+
+     3,    -2,     1,     3,     4,    -2,     0,     2,     3,     0,
+     6 };
+typedef struct
+#ifdef __cplusplus
+	yytoktype
+#endif
+{ char *t_name; int t_val; } yytoktype;
+#ifndef YYDEBUG
+#	define YYDEBUG	0	/* don't allow debugging */
+#endif
+
+#if YYDEBUG
+
+yytoktype yytoks[] =
+{
+	"OPENBRACE",	257,
+	"CLOSEBRACE",	258,
+	"STRING",	259,
+	"-unknown-",	-1	/* ends search */
+};
+
+char * yyreds[] =
+{
+	"-no such reduction-",
+	"toplist : valuelist",
+	"valuelist : value valuelist",
+	"valuelist : /* empty */",
+	"value : key_value_pair",
+	"value : STRING",
+	"key_value_pair : key OPENBRACE valuelist CLOSEBRACE",
+	"key : STRING",
+};
+#endif /* YYDEBUG */
+# line	1 "/usr/ccs/bin/yaccpar"
+/*
+ * Copyright (c) 1993 by Sun Microsystems, Inc.
+ */
+
+#pragma ident	"@(#)yaccpar	6.14	97/01/16 SMI"
+
+/*
+** Skeleton parser driver for yacc output
+*/
+
+/*
+** yacc user known macros and defines
+*/
+#define YYERROR		goto yyerrlab
+#define YYACCEPT	return(0)
+#define YYABORT		return(1)
+#define YYBACKUP( newtoken, newvalue )\
+{\
+	if ( yychar >= 0 || ( yyr2[ yytmp ] >> 1 ) != 1 )\
+	{\
+		yyerror( "syntax error - cannot backup" );\
+		goto yyerrlab;\
+	}\
+	yychar = newtoken;\
+	yystate = *yyps;\
+	yylval = newvalue;\
+	goto yynewstate;\
+}
+#define YYRECOVERING()	(!!yyerrflag)
+#define YYNEW(type)	malloc(sizeof(type) * yynewmax)
+#define YYCOPY(to, from, type) \
+	(type *) memcpy(to, (char *) from, yymaxdepth * sizeof (type))
+#define YYENLARGE( from, type) \
+	(type *) realloc((char *) from, yynewmax * sizeof(type))
+#ifndef YYDEBUG
+#	define YYDEBUG	1	/* make debugging available */
+#endif
+
+/*
+** user known globals
+*/
+int yydebug;			/* set to 1 to get debugging */
+
+/*
+** driver internal defines
+*/
+#define YYFLAG		(-10000000)
+
+/*
+** global variables used by the parser
+*/
+YYSTYPE *yypv;			/* top of value stack */
+int *yyps;			/* top of state stack */
+
+int yystate;			/* current state */
+int yytmp;			/* extra var (lasts between blocks) */
+
+int yynerrs;			/* number of errors */
+int yyerrflag;			/* error recovery flag */
+int yychar;			/* current input token number */
+
+
+
+#ifdef YYNMBCHARS
+#define YYLEX()		yycvtok(yylex())
+/*
+** yycvtok - return a token if i is a wchar_t value that exceeds 255.
+**	If i<255, i itself is the token.  If i>255 but the neither 
+**	of the 30th or 31st bit is on, i is already a token.
+*/
+#if defined(__STDC__) || defined(__cplusplus)
+int yycvtok(int i)
+#else
+int yycvtok(i) int i;
+#endif
+{
+	int first = 0;
+	int last = YYNMBCHARS - 1;
+	int mid;
+	wchar_t j;
+
+	if(i&0x60000000){/*Must convert to a token. */
+		if( yymbchars[last].character < i ){
+			return i;/*Giving up*/
+		}
+		while ((last>=first)&&(first>=0)) {/*Binary search loop*/
+			mid = (first+last)/2;
+			j = yymbchars[mid].character;
+			if( j==i ){/*Found*/ 
+				return yymbchars[mid].tvalue;
+			}else if( j<i ){
+				first = mid + 1;
+			}else{
+				last = mid -1;
+			}
+		}
+		/*No entry in the table.*/
+		return i;/* Giving up.*/
+	}else{/* i is already a token. */
+		return i;
+	}
+}
+#else/*!YYNMBCHARS*/
+#define YYLEX()		yylex()
+#endif/*!YYNMBCHARS*/
+
+/*
+** yyparse - return 0 if worked, 1 if syntax error not recovered from
+*/
+#if defined(__STDC__) || defined(__cplusplus)
+int yyparse(void)
+#else
+int yyparse()
+#endif
+{
+	register YYSTYPE *yypvt = 0;	/* top of value stack for $vars */
+
+#if defined(__cplusplus) || defined(lint)
+/*
+	hacks to please C++ and lint - goto's inside
+	switch should never be executed
+*/
+	static int __yaccpar_lint_hack__ = 0;
+	switch (__yaccpar_lint_hack__)
+	{
+		case 1: goto yyerrlab;
+		case 2: goto yynewstate;
+	}
+#endif
+
+	/*
+	** Initialize externals - yyparse may be called more than once
+	*/
+	yypv = &yyv[-1];
+	yyps = &yys[-1];
+	yystate = 0;
+	yytmp = 0;
+	yynerrs = 0;
+	yyerrflag = 0;
+	yychar = -1;
+
+#if YYMAXDEPTH <= 0
+	if (yymaxdepth <= 0)
+	{
+		if ((yymaxdepth = YYEXPAND(0)) <= 0)
+		{
+			yyerror("yacc initialization error");
+			YYABORT;
+		}
+	}
+#endif
+
+	{
+		register YYSTYPE *yy_pv;	/* top of value stack */
+		register int *yy_ps;		/* top of state stack */
+		register int yy_state;		/* current state */
+		register int  yy_n;		/* internal state number info */
+	goto yystack;	/* moved from 6 lines above to here to please C++ */
+
+		/*
+		** get globals into registers.
+		** branch to here only if YYBACKUP was called.
+		*/
+	yynewstate:
+		yy_pv = yypv;
+		yy_ps = yyps;
+		yy_state = yystate;
+		goto yy_newstate;
+
+		/*
+		** get globals into registers.
+		** either we just started, or we just finished a reduction
+		*/
+	yystack:
+		yy_pv = yypv;
+		yy_ps = yyps;
+		yy_state = yystate;
+
+		/*
+		** top of for (;;) loop while no reductions done
+		*/
+	yy_stack:
+		/*
+		** put a state and value onto the stacks
+		*/
+#if YYDEBUG
+		/*
+		** if debugging, look up token value in list of value vs.
+		** name pairs.  0 and negative (-1) are special values.
+		** Note: linear search is used since time is not a real
+		** consideration while debugging.
+		*/
+		if ( yydebug )
+		{
+			register int yy_i;
+
+			printf( "State %d, token ", yy_state );
+			if ( yychar == 0 )
+				printf( "end-of-file\n" );
+			else if ( yychar < 0 )
+				printf( "-none-\n" );
+			else
+			{
+				for ( yy_i = 0; yytoks[yy_i].t_val >= 0;
+					yy_i++ )
+				{
+					if ( yytoks[yy_i].t_val == yychar )
+						break;
+				}
+				printf( "%s\n", yytoks[yy_i].t_name );
+			}
+		}
+#endif /* YYDEBUG */
+		if ( ++yy_ps >= &yys[ yymaxdepth ] )	/* room on stack? */
+		{
+			/*
+			** reallocate and recover.  Note that pointers
+			** have to be reset, or bad things will happen
+			*/
+			int yyps_index = (yy_ps - yys);
+			int yypv_index = (yy_pv - yyv);
+			int yypvt_index = (yypvt - yyv);
+			int yynewmax;
+#ifdef YYEXPAND
+			yynewmax = YYEXPAND(yymaxdepth);
+#else
+			yynewmax = 2 * yymaxdepth;	/* double table size */
+			if (yymaxdepth == YYMAXDEPTH)	/* first time growth */
+			{
+				char *newyys = (char *)YYNEW(int);
+				char *newyyv = (char *)YYNEW(YYSTYPE);
+				if (newyys != 0 && newyyv != 0)
+				{
+					yys = YYCOPY(newyys, yys, int);
+					yyv = YYCOPY(newyyv, yyv, YYSTYPE);
+				}
+				else
+					yynewmax = 0;	/* failed */
+			}
+			else				/* not first time */
+			{
+				yys = YYENLARGE(yys, int);
+				yyv = YYENLARGE(yyv, YYSTYPE);
+				if (yys == 0 || yyv == 0)
+					yynewmax = 0;	/* failed */
+			}
+#endif
+			if (yynewmax <= yymaxdepth)	/* tables not expanded */
+			{
+				yyerror( "yacc stack overflow" );
+				YYABORT;
+			}
+			yymaxdepth = yynewmax;
+
+			yy_ps = yys + yyps_index;
+			yy_pv = yyv + yypv_index;
+			yypvt = yyv + yypvt_index;
+		}
+		*yy_ps = yy_state;
+		*++yy_pv = yyval;
+
+		/*
+		** we have a new state - find out what to do
+		*/
+	yy_newstate:
+		if ( ( yy_n = yypact[ yy_state ] ) <= YYFLAG )
+			goto yydefault;		/* simple state */
+#if YYDEBUG
+		/*
+		** if debugging, need to mark whether new token grabbed
+		*/
+		yytmp = yychar < 0;
+#endif
+		if ( ( yychar < 0 ) && ( ( yychar = YYLEX() ) < 0 ) )
+			yychar = 0;		/* reached EOF */
+#if YYDEBUG
+		if ( yydebug && yytmp )
+		{
+			register int yy_i;
+
+			printf( "Received token " );
+			if ( yychar == 0 )
+				printf( "end-of-file\n" );
+			else if ( yychar < 0 )
+				printf( "-none-\n" );
+			else
+			{
+				for ( yy_i = 0; yytoks[yy_i].t_val >= 0;
+					yy_i++ )
+				{
+					if ( yytoks[yy_i].t_val == yychar )
+						break;
+				}
+				printf( "%s\n", yytoks[yy_i].t_name );
+			}
+		}
+#endif /* YYDEBUG */
+		if ( ( ( yy_n += yychar ) < 0 ) || ( yy_n >= YYLAST ) )
+			goto yydefault;
+		if ( yychk[ yy_n = yyact[ yy_n ] ] == yychar )	/*valid shift*/
+		{
+			yychar = -1;
+			yyval = yylval;
+			yy_state = yy_n;
+			if ( yyerrflag > 0 )
+				yyerrflag--;
+			goto yy_stack;
+		}
+
+	yydefault:
+		if ( ( yy_n = yydef[ yy_state ] ) == -2 )
+		{
+#if YYDEBUG
+			yytmp = yychar < 0;
+#endif
+			if ( ( yychar < 0 ) && ( ( yychar = YYLEX() ) < 0 ) )
+				yychar = 0;		/* reached EOF */
+#if YYDEBUG
+			if ( yydebug && yytmp )
+			{
+				register int yy_i;
+
+				printf( "Received token " );
+				if ( yychar == 0 )
+					printf( "end-of-file\n" );
+				else if ( yychar < 0 )
+					printf( "-none-\n" );
+				else
+				{
+					for ( yy_i = 0;
+						yytoks[yy_i].t_val >= 0;
+						yy_i++ )
+					{
+						if ( yytoks[yy_i].t_val
+							== yychar )
+						{
+							break;
+						}
+					}
+					printf( "%s\n", yytoks[yy_i].t_name );
+				}
+			}
+#endif /* YYDEBUG */
+			/*
+			** look through exception table
+			*/
+			{
+				register const int *yyxi = yyexca;
+
+				while ( ( *yyxi != -1 ) ||
+					( yyxi[1] != yy_state ) )
+				{
+					yyxi += 2;
+				}
+				while ( ( *(yyxi += 2) >= 0 ) &&
+					( *yyxi != yychar ) )
+					;
+				if ( ( yy_n = yyxi[1] ) < 0 )
+					YYACCEPT;
+			}
+		}
+
+		/*
+		** check for syntax error
+		*/
+		if ( yy_n == 0 )	/* have an error */
+		{
+			/* no worry about speed here! */
+			switch ( yyerrflag )
+			{
+			case 0:		/* new error */
+				yyerror( "syntax error" );
+				goto skip_init;
+			yyerrlab:
+				/*
+				** get globals into registers.
+				** we have a user generated syntax type error
+				*/
+				yy_pv = yypv;
+				yy_ps = yyps;
+				yy_state = yystate;
+			skip_init:
+				yynerrs++;
+				/* FALLTHRU */
+			case 1:
+			case 2:		/* incompletely recovered error */
+					/* try again... */
+				yyerrflag = 3;
+				/*
+				** find state where "error" is a legal
+				** shift action
+				*/
+				while ( yy_ps >= yys )
+				{
+					yy_n = yypact[ *yy_ps ] + YYERRCODE;
+					if ( yy_n >= 0 && yy_n < YYLAST &&
+						yychk[yyact[yy_n]] == YYERRCODE)					{
+						/*
+						** simulate shift of "error"
+						*/
+						yy_state = yyact[ yy_n ];
+						goto yy_stack;
+					}
+					/*
+					** current state has no shift on
+					** "error", pop stack
+					*/
+#if YYDEBUG
+#	define _POP_ "Error recovery pops state %d, uncovers state %d\n"
+					if ( yydebug )
+						printf( _POP_, *yy_ps,
+							yy_ps[-1] );
+#	undef _POP_
+#endif
+					yy_ps--;
+					yy_pv--;
+				}
+				/*
+				** there is no state on stack with "error" as
+				** a valid shift.  give up.
+				*/
+				YYABORT;
+			case 3:		/* no shift yet; eat a token */
+#if YYDEBUG
+				/*
+				** if debugging, look up token in list of
+				** pairs.  0 and negative shouldn't occur,
+				** but since timing doesn't matter when
+				** debugging, it doesn't hurt to leave the
+				** tests here.
+				*/
+				if ( yydebug )
+				{
+					register int yy_i;
+
+					printf( "Error recovery discards " );
+					if ( yychar == 0 )
+						printf( "token end-of-file\n" );
+					else if ( yychar < 0 )
+						printf( "token -none-\n" );
+					else
+					{
+						for ( yy_i = 0;
+							yytoks[yy_i].t_val >= 0;
+							yy_i++ )
+						{
+							if ( yytoks[yy_i].t_val
+								== yychar )
+							{
+								break;
+							}
+						}
+						printf( "token %s\n",
+							yytoks[yy_i].t_name );
+					}
+				}
+#endif /* YYDEBUG */
+				if ( yychar == 0 )	/* reached EOF. quit */
+					YYABORT;
+				yychar = -1;
+				goto yy_newstate;
+			}
+		}/* end if ( yy_n == 0 ) */
+		/*
+		** reduction by production yy_n
+		** put stack tops, etc. so things right after switch
+		*/
+#if YYDEBUG
+		/*
+		** if debugging, print the string that is the user's
+		** specification of the reduction which is just about
+		** to be done.
+		*/
+		if ( yydebug )
+			printf( "Reduce by (%d) \"%s\"\n",
+				yy_n, yyreds[ yy_n ] );
+#endif
+		yytmp = yy_n;			/* value to switch over */
+		yypvt = yy_pv;			/* $vars top of value stack */
+		/*
+		** Look in goto table for next state
+		** Sorry about using yy_state here as temporary
+		** register variable, but why not, if it works...
+		** If yyr2[ yy_n ] doesn't have the low order bit
+		** set, then there is no action to be done for
+		** this reduction.  So, no saving & unsaving of
+		** registers done.  The only difference between the
+		** code just after the if and the body of the if is
+		** the goto yy_stack in the body.  This way the test
+		** can be made before the choice of what to do is needed.
+		*/
+		{
+			/* length of production doubled with extra bit */
+			register int yy_len = yyr2[ yy_n ];
+
+			if ( !( yy_len & 01 ) )
+			{
+				yy_len >>= 1;
+				yyval = ( yy_pv -= yy_len )[1];	/* $$ = $1 */
+				yy_state = yypgo[ yy_n = yyr1[ yy_n ] ] +
+					*( yy_ps -= yy_len ) + 1;
+				if ( yy_state >= YYLAST ||
+					yychk[ yy_state =
+					yyact[ yy_state ] ] != -yy_n )
+				{
+					yy_state = yyact[ yypgo[ yy_n ] ];
+				}
+				goto yy_stack;
+			}
+			yy_len >>= 1;
+			yyval = ( yy_pv -= yy_len )[1];	/* $$ = $1 */
+			yy_state = yypgo[ yy_n = yyr1[ yy_n ] ] +
+				*( yy_ps -= yy_len ) + 1;
+			if ( yy_state >= YYLAST ||
+				yychk[ yy_state = yyact[ yy_state ] ] != -yy_n )
+			{
+				yy_state = yyact[ yypgo[ yy_n ] ];
+			}
+		}
+					/* save until reenter driver code */
+		yystate = yy_state;
+		yyps = yy_ps;
+		yypv = yy_pv;
+	}
+	/*
+	** code supplied by user is placed in this switch
+	*/
+	switch( yytmp )
+	{
+		
+case 1:
+# line 84 "installparse.y"
+{
+	Pk11Install_valueList = yypvt[-0].list;
+} break;
+case 2:
+# line 89 "installparse.y"
+{ 
+	Pk11Install_ValueList_AddItem(yypvt[-0].list,yypvt[-1].value);
+	yyval.list = yypvt[-0].list; 
+} break;
+case 3:
+# line 94 "installparse.y"
+{ 
+	yyval.list = Pk11Install_ValueList_new(); 
+} break;
+case 4:
+# line 99 "installparse.y"
+{
+	yyval.value= Pk11Install_Value_new(PAIR_VALUE,yypvt[-0]);
+} break;
+case 5:
+# line 103 "installparse.y"
+{
+	yyval.value= Pk11Install_Value_new(STRING_VALUE, yypvt[-0]);
+} break;
+case 6:
+# line 108 "installparse.y"
+{
+	yyval.pair = Pk11Install_Pair_new(yypvt[-3].string,yypvt[-1].list);
+} break;
+case 7:
+# line 113 "installparse.y"
+{
+	yyval.string = yypvt[-0].string;
+} break;
+# line	531 "/usr/ccs/bin/yaccpar"
+	}
+	goto yystack;		/* reset registers in driver code */
+}
+
diff --git a/security/nss/cmd/modutil/installparse.h b/security/nss/cmd/modutil/installparse.h
new file mode 100644
index 000000000..f57ad8f55
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.h
@@ -0,0 +1,3 @@
+# define OPENBRACE 257
+# define CLOSEBRACE 258
+# define STRING 259
diff --git a/security/coreconf/SunOS5.5.1_i86pc.mk b/security/nss/cmd/modutil/rules.mk
index 978286856..c22175ffd 100644
--- a/security/coreconf/SunOS5.5.1_i86pc.mk
+++ b/security/nss/cmd/modutil/rules.mk
@@ -1,4 +1,4 @@
-#
+# 
 # The contents of this file are subject to the Mozilla Public
 # License Version 1.1 (the "License"); you may not use this file
 # except in compliance with the License. You may obtain a copy of
@@ -30,16 +30,17 @@
 # may use your version of this file under either the MPL or the
 # GPL.
 #
-# Config stuff for Solaris 2.5.1 on x86
-# 
 
-SOL_CFLAGS	= -D_SVID_GETTOD
+generate: installparse.c installparse.l
 
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
+installparse.c:
+	yacc -p Pk11Install_yy -d installparse.y
+	mv y.tab.c installparse.c
+	mv y.tab.h installparse.h
 
-CPU_ARCH		= x86
-OS_DEFINES		+= -Di386
+installparse.l:
+	lex -olex.Pk11Install_yy.c -PPk11Install_yy installparse.l
+	@echo
+	@echo "**YOU MUST COMMENT OUT UNISTD.H FROM lex.Pk11Install_yy.cpp**"
 
-ifeq ($(OS_RELEASE),5.5.1_i86pc)
-	OS_DEFINES += -DSOLARIS2_5
-endif
+install.c: install-ds.h install.h
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
new file mode 100644
index 000000000..059a0696e
--- /dev/null
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -0,0 +1,1108 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+
+#include "plgetopt.h"
+
+#include "nspr.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "prerror.h"
+
+#include "pk11func.h"
+#include "secitem.h"
+#include "sslproto.h"
+#include "nss.h"
+#include "ssl.h"
+
+#ifndef PORT_Sprintf
+#define PORT_Sprintf sprintf
+#endif
+
+#ifndef PORT_Strstr
+#define PORT_Strstr strstr
+#endif
+
+#ifndef PORT_Malloc
+#define PORT_Malloc PR_Malloc
+#endif
+
+#define RD_BUF_SIZE (60 * 1024)
+
+int cipherSuites[] = {
+    SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
+    SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+    SSL_RSA_WITH_DES_CBC_SHA,
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+    SSL_FORTEZZA_DMS_WITH_NULL_SHA,
+    SSL_RSA_WITH_NULL_MD5,
+    0
+};
+
+/* Include these cipher suite arrays to re-use tstclnt's 
+ * cipher selection code.
+ */
+
+int ssl2CipherSuites[] = {
+    SSL_EN_RC4_128_WITH_MD5,                    /* A */
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,           /* B */
+    SSL_EN_RC2_128_CBC_WITH_MD5,                /* C */
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,       /* D */
+    SSL_EN_DES_64_CBC_WITH_MD5,                 /* E */
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,           /* F */
+    0
+};
+
+int ssl3CipherSuites[] = {
+    SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,     /* a */
+    SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,          /* b */
+    SSL_RSA_WITH_RC4_128_MD5,                   /* c */
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,              /* d */
+    SSL_RSA_WITH_DES_CBC_SHA,                   /* e */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,             /* f */
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,         /* g */
+    SSL_FORTEZZA_DMS_WITH_NULL_SHA,             /* h */
+    SSL_RSA_WITH_NULL_MD5,                      /* i */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,         /* j */
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,              /* k */
+    0
+};
+
+/* This global string is so that client main can see 
+ * which ciphers to use. 
+ */
+
+char *cipherString;
+
+int MakeCertOK;
+
+void
+disableSSL2Ciphers(void)
+{
+    int i;
+
+    /* disable all the SSL2 cipher suites */
+    for (i = 0; ssl2CipherSuites[i] != 0;  ++i) {
+        SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED);
+    }
+}
+
+void
+disableSSL3Ciphers(void)
+{
+    int i;
+
+    /* disable all the SSL3 cipher suites */
+    for (i = 0; ssl3CipherSuites[i] != 0;  ++i) {
+        SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED);
+    }
+}
+
+char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+        char *passwd = NULL;
+
+        if ( (!retry) && arg ) {
+                passwd = PL_strdup((char *)arg);
+        }
+
+        return passwd;
+}
+
+int	stopping;
+int	verbose;
+SECItem	bigBuf;
+
+#define PRINTF  if (verbose)  printf
+#define FPRINTF if (verbose) fprintf
+
+static void
+Usage(const char *progName)
+{
+    fprintf(stderr, 
+    	"Usage: %s [-n rsa_nickname] [-p port] [-d dbdir] [-c connections]\n"
+	"          [-v] [-f fortezza_nickname] [-2 filename]\n"
+	"          [-w dbpasswd] [-C cipher(s)] hostname\n",
+	progName);
+    exit(1);
+}
+
+static void
+networkStart(void)
+{
+#if defined(XP_WIN) && !defined(NSPR20)
+
+    WORD wVersionRequested;  
+    WSADATA wsaData; 
+    int err; 
+    wVersionRequested = MAKEWORD(1, 1); 
+ 
+    err = WSAStartup(wVersionRequested, &wsaData); 
+ 
+    if (err != 0) {
+	/* Tell the user that we couldn't find a useable winsock.dll. */ 
+	fputs("WSAStartup failed!\n", stderr);
+	exit(1);
+    }
+
+/* Confirm that the Windows Sockets DLL supports 1.1.*/ 
+/* Note that if the DLL supports versions greater */ 
+/* than 1.1 in addition to 1.1, it will still return */ 
+/* 1.1 in wVersion since that is the version we */ 
+/* requested. */ 
+ 
+    if ( LOBYTE( wsaData.wVersion ) != 1 || 
+         HIBYTE( wsaData.wVersion ) != 1 ) { 
+	/* Tell the user that we couldn't find a useable winsock.dll. */ 
+	fputs("wrong winsock version\n", stderr);
+	WSACleanup(); 
+	exit(1); 
+    } 
+    /* The Windows Sockets DLL is acceptable. Proceed. */ 
+
+#endif
+}
+
+static void
+networkEnd(void)
+{
+#if defined(XP_WIN) && !defined(NSPR20)
+    WSACleanup();
+#endif
+}
+
+static void
+errWarn(char * funcString)
+{
+    PRErrorCode  perr      = PR_GetError();
+    const char * errString = SECU_Strerror(perr);
+
+    fprintf(stderr, "exit after %s with error %d:\n%s\n",
+            funcString, perr, errString);
+}
+
+static void
+errExit(char * funcString)
+{
+#if defined (XP_WIN) && !defined(NSPR20)
+    int          err;
+    LPVOID       lpMsgBuf;
+
+    err = WSAGetLastError();
+ 
+    FormatMessage(
+	FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
+	NULL,
+	err,
+	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
+	(LPTSTR) &lpMsgBuf,
+	0,
+	NULL 
+    );
+
+    /* Display the string. */
+  /*MessageBox( NULL, lpMsgBuf, "GetLastError", MB_OK|MB_ICONINFORMATION ); */
+    fprintf(stderr, "%s\n", lpMsgBuf);
+
+    /* Free the buffer. */
+    LocalFree( lpMsgBuf );
+#endif
+
+    errWarn(funcString);
+    exit(1);
+}
+
+/* This invokes the "default" AuthCert handler in libssl.
+** The only reason to use this one is that it prints out info as it goes. 
+*/
+static int
+mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
+		     PRBool isServer)
+{
+    SECStatus rv;
+    CERTCertificate *    peerCert;
+
+    peerCert = SSL_PeerCertificate(fd);
+
+    PRINTF("Subject: %s\nIssuer : %s\n", 
+           peerCert->subjectName, peerCert->issuerName); 
+    /* invoke the "default" AuthCert handler. */
+    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
+
+    if (rv == SECSuccess) {
+	fputs("-- SSL3: Server Certificate Validated.\n", stderr);
+    } 
+    /* error, if any, will be displayed by the Bad Cert Handler. */
+    return rv;  
+}
+
+static int /* should be SECStatus but public prototype says int. */
+myBadCertHandler( void *arg, PRFileDesc *fd)
+{
+    int err = PR_GetError();
+    fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", 
+            err, SECU_Strerror(err));
+    return (MakeCertOK ? SECSuccess : SECFailure);
+}
+
+/* statistics from ssl3_SendClientHello (sch) */
+extern long ssl3_sch_sid_cache_hits;
+extern long ssl3_sch_sid_cache_misses;
+extern long ssl3_sch_sid_cache_not_ok;
+
+/* statistics from ssl3_HandleServerHello (hsh) */
+extern long ssl3_hsh_sid_cache_hits;
+extern long ssl3_hsh_sid_cache_misses;
+extern long ssl3_hsh_sid_cache_not_ok;
+
+/* statistics from ssl3_HandleClientHello (hch) */
+extern long ssl3_hch_sid_cache_hits;
+extern long ssl3_hch_sid_cache_misses;
+extern long ssl3_hch_sid_cache_not_ok;
+
+void 
+printSecurityInfo(PRFileDesc *fd)
+{
+    char * cp;	/* bulk cipher name */
+    char * ip;	/* cert issuer DN */
+    char * sp;	/* cert subject DN */
+    int    op;	/* High, Low, Off */
+    int    kp0;	/* total key bits */
+    int    kp1;	/* secret key bits */
+    int    result;
+
+    static int only_once;
+
+    if (! only_once++ && fd) {
+	result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
+	if (result != SECSuccess)
+	    return;
+#if 0
+	PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
+	       "subject DN: %s\n"
+	       "issuer  DN: %s\n", cp, kp1, kp0, op, sp, ip);
+#else
+	PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n",
+	       cp, kp1, kp0, op, sp, ip);
+#endif
+	PR_Free(cp);
+	PR_Free(ip);
+	PR_Free(sp);
+    }
+
+    PRINTF("%ld cache hits; %ld cache misses, %ld cache not reusable\n",
+    	ssl3_hsh_sid_cache_hits, 
+	ssl3_hsh_sid_cache_misses,
+	ssl3_hsh_sid_cache_not_ok);
+
+}
+
+/**************************************************************************
+** Begin thread management routines and data.
+**************************************************************************/
+
+#define MAX_THREADS 32
+
+typedef int startFn(void *a, void *b, int c);
+
+PRLock    * threadLock;
+PRCondVar * threadStartQ;
+PRCondVar * threadEndQ;
+
+int         numUsed;
+int         numRunning;
+
+typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
+
+typedef struct perThreadStr {
+    void *	a;
+    void *	b;
+    int         c;
+    int         rv;
+    startFn  *  startFunc;
+    PRThread *  prThread;
+    PRBool	inUse;
+    runState	running;
+} perThread;
+
+perThread threads[MAX_THREADS];
+
+void
+thread_wrapper(void * arg)
+{
+    perThread * slot = (perThread *)arg;
+
+    /* wait for parent to finish launching us before proceeding. */
+    PR_Lock(threadLock);
+    PR_Unlock(threadLock);
+
+    slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->c);
+
+    /* Handle cleanup of thread here. */
+    PRINTF("Thread in slot %d returned %d\n", slot - threads, slot->rv);
+
+    PR_Lock(threadLock);
+    slot->running = rs_idle;
+    --numRunning;
+
+    /* notify the thread launcher. */
+    PR_NotifyCondVar(threadStartQ);
+
+    PR_Unlock(threadLock);
+}
+
+SECStatus
+launch_thread(
+    startFn *	startFunc,
+    void *	a,
+    void *	b,
+    int         c)
+{
+    perThread * slot;
+    int         i;
+
+    if (!threadStartQ) {
+	threadLock = PR_NewLock();
+	threadStartQ = PR_NewCondVar(threadLock);
+	threadEndQ   = PR_NewCondVar(threadLock);
+    }
+    PR_Lock(threadLock);
+    while (numRunning >= MAX_THREADS) {
+    	PR_WaitCondVar(threadStartQ, PR_INTERVAL_NO_TIMEOUT);
+    }
+    for (i = 0; i < numUsed; ++i) {
+	slot = threads + i;
+    	if (slot->running == rs_idle) 
+	    break;
+    }
+    if (i >= numUsed) {
+	if (i >= MAX_THREADS) {
+	    /* something's really wrong here. */
+	    PORT_Assert(i < MAX_THREADS);
+	    PR_Unlock(threadLock);
+	    return SECFailure;
+	}
+	++numUsed;
+	PORT_Assert(numUsed == i + 1);
+	slot = threads + i;
+    }
+
+    slot->a = a;
+    slot->b = b;
+    slot->c = c;
+
+    slot->startFunc = startFunc;
+
+    slot->prThread      = PR_CreateThread(PR_USER_THREAD,
+                                      thread_wrapper, slot,
+				      PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
+				      PR_UNJOINABLE_THREAD, 0);
+    if (slot->prThread == NULL) {
+	PR_Unlock(threadLock);
+	printf("Failed to launch thread!\n");
+	return SECFailure;
+    } 
+
+    slot->inUse   = 1;
+    slot->running = 1;
+    ++numRunning;
+    PR_Unlock(threadLock);
+    PRINTF("Launched thread in slot %d \n", i);
+
+    return SECSuccess;
+}
+
+/* Wait until num_running == 0 */
+int 
+reap_threads(void)
+{
+    perThread * slot;
+    int         i;
+
+    if (!threadLock)
+    	return 0;
+    PR_Lock(threadLock);
+    while (numRunning > 0) {
+    	PR_WaitCondVar(threadStartQ, PR_INTERVAL_NO_TIMEOUT);
+    }
+
+    /* Safety Sam sez: make sure count is right. */
+    for (i = 0; i < numUsed; ++i) {
+	slot = threads + i;
+    	if (slot->running != rs_idle)  {
+	    FPRINTF(stderr, "Thread in slot %d is in state %d!\n", 
+	            i, slot->running);
+    	}
+    }
+    PR_Unlock(threadLock);
+    return 0;
+}
+
+void
+destroy_thread_data(void)
+{
+    PORT_Memset(threads, 0, sizeof threads);
+
+    if (threadEndQ) {
+    	PR_DestroyCondVar(threadEndQ);
+	threadEndQ = NULL;
+    }
+    if (threadStartQ) {
+    	PR_DestroyCondVar(threadStartQ);
+	threadStartQ = NULL;
+    }
+    if (threadLock) {
+    	PR_DestroyLock(threadLock);
+	threadLock = NULL;
+    }
+}
+
+/**************************************************************************
+** End   thread management routines.
+**************************************************************************/
+
+PRBool useModelSocket = PR_TRUE;
+
+static const char stopCmd[] = { "GET /stop " };
+static const char outHeader[] = {
+    "HTTP/1.0 200 OK\r\n"
+    "Server: Netscape-Enterprise/2.0a\r\n"
+    "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
+    "Content-type: text/plain\r\n"
+    "\r\n"
+};
+
+struct lockedVarsStr {
+    PRLock *	lock;
+    int		count;
+    int		waiters;
+    PRCondVar *	condVar;
+};
+
+typedef struct lockedVarsStr lockedVars;
+
+void 
+lockedVars_Init( lockedVars * lv)
+{
+    lv->count   = 0;
+    lv->waiters = 0;
+    lv->lock    = PR_NewLock();
+    lv->condVar = PR_NewCondVar(lv->lock);
+}
+
+void
+lockedVars_Destroy( lockedVars * lv)
+{
+    PR_DestroyCondVar(lv->condVar);
+    lv->condVar = NULL;
+
+    PR_DestroyLock(lv->lock);
+    lv->lock = NULL;
+}
+
+void
+lockedVars_WaitForDone(lockedVars * lv)
+{
+    PR_Lock(lv->lock);
+    while (lv->count > 0) {
+    	PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
+    }
+    PR_Unlock(lv->lock);
+}
+
+int	/* returns count */
+lockedVars_AddToCount(lockedVars * lv, int addend)
+{
+    int rv;
+
+    PR_Lock(lv->lock);
+    rv = lv->count += addend;
+    if (rv <= 0) {
+	PR_NotifyCondVar(lv->condVar);
+    }
+    PR_Unlock(lv->lock);
+    return rv;
+}
+
+int
+do_writes(
+    void *       a,
+    void *       b,
+    int          c)
+{
+    PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
+    lockedVars *	lv 		= (lockedVars *)b;
+    int			sent  		= 0;
+    int 		count		= 0;
+
+    while (sent < bigBuf.len) {
+
+	count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent);
+	if (count < 0) {
+	    errWarn("PR_Write bigBuf");
+	    break;
+	}
+	FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count );
+	sent += count;
+    }
+    if (count >= 0) {	/* last write didn't fail. */
+    	PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND);
+    }
+
+    /* notify the reader that we're done. */
+    lockedVars_AddToCount(lv, -1);
+    return (sent < bigBuf.len) ? SECFailure : SECSuccess;
+}
+
+int 
+handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
+{
+    SECStatus          result;
+    int                firstTime = 1;
+    int                countRead = 0;
+    lockedVars         lv;
+    char               *buf;
+
+
+    lockedVars_Init(&lv);
+    lockedVars_AddToCount(&lv, 1);
+
+    /* Attempt to launch the writer thread. */
+    result = launch_thread(do_writes, ssl_sock, &lv, connection);
+
+    if (result != SECSuccess) 
+    	goto cleanup;
+
+    buf = PR_Malloc(RD_BUF_SIZE);
+
+    if (buf) {
+	do {
+	    /* do reads here. */
+	    PRInt32 count;
+
+	    count = PR_Read(ssl_sock, buf, RD_BUF_SIZE);
+	    if (count < 0) {
+		errWarn("PR_Read");
+		break;
+	    }
+	    countRead += count;
+	    FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", 
+		    connection, count, countRead );
+	    if (firstTime) {
+		firstTime = 0;
+		printSecurityInfo(ssl_sock);
+	    }
+	} while (lockedVars_AddToCount(&lv, 0) > 0);
+	PR_Free(buf);
+	buf = 0;
+    }
+
+    /* Wait for writer to finish */
+    lockedVars_WaitForDone(&lv);
+    lockedVars_Destroy(&lv);
+
+    FPRINTF(stderr, 
+    "connection %d read %d bytes total. -----------------------------\n", 
+    	    connection, countRead);
+
+cleanup:
+    /* Caller closes the socket. */
+
+    return SECSuccess;
+}
+
+const char request[] = {"GET /abc HTTP/1.0\r\n\r\n" };
+
+SECStatus
+handle_connection( PRFileDesc *ssl_sock, int connection)
+{
+    int	    countRead = 0;
+    PRInt32 rv;
+    char    *buf;
+
+    buf = PR_Malloc(RD_BUF_SIZE);
+    if (!buf)
+	return SECFailure;
+
+    /* compose the http request here. */
+
+    rv = PR_Write(ssl_sock, request, strlen(request));
+    if (rv <= 0) {
+	errWarn("PR_Write");
+	PR_Free(buf);
+	buf = 0;
+	return SECFailure;
+    }
+    printSecurityInfo(ssl_sock);
+
+    /* read until EOF */
+    while (1) {
+	rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE);
+	if (rv == 0) {
+	    break;	/* EOF */
+	}
+	if (rv < 0) {
+	    errWarn("PR_Read");
+	    break;
+	}
+
+	countRead += rv;
+	FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", 
+		connection, rv, countRead );
+    }
+    PR_Free(buf);
+    buf = 0;
+
+    /* Caller closes the socket. */
+
+    FPRINTF(stderr, 
+    "connection %d read %d bytes total. -----------------------------\n", 
+    	    connection, countRead);
+
+    return SECSuccess;	/* success */
+}
+
+/* one copy of this function is launched in a separate thread for each
+** connection to be made.
+*/
+int
+do_connects(
+    void *	a,
+    void *	b,
+    int         connection)
+{
+    PRNetAddr  *        addr		= (PRNetAddr *)  a;
+    PRFileDesc *        model_sock	= (PRFileDesc *) b;
+    PRFileDesc *        ssl_sock;
+    PRFileDesc *        tcp_sock;
+    PRStatus	        prStatus;
+    SECStatus   	result;
+    int                 rv 		= SECSuccess;
+    PRSocketOptionData  opt;
+
+retry:
+
+    tcp_sock = PR_NewTCPSocket();
+    if (tcp_sock == NULL) {
+	errExit("PR_NewTCPSocket");
+    }
+
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    prStatus = PR_SetSocketOption(tcp_sock, &opt);
+    if (prStatus != PR_SUCCESS) {
+    	PR_Close(tcp_sock);
+	return SECSuccess;
+    } 
+
+    prStatus = PR_Connect(tcp_sock, addr, PR_INTERVAL_NO_TIMEOUT);
+    if (prStatus != PR_SUCCESS) {
+	PRErrorCode err = PR_GetError();
+	if (err == PR_CONNECT_REFUSED_ERROR) {
+	    PR_Close(tcp_sock);
+	    PR_Sleep(PR_MillisecondsToInterval(10));
+	    goto retry;
+	}
+	errWarn("PR_Connect");
+	goto done;
+    }
+
+    ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
+    /* XXX if this import fails, close tcp_sock and return. */
+    if (!ssl_sock) {
+    	PR_Close(tcp_sock);
+	return SECSuccess;
+    }
+
+    rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0);
+    if (rv != SECSuccess) {
+	errWarn("SSL_ResetHandshake");
+	goto done;
+    }
+
+    if (bigBuf.data != NULL) {
+	result = handle_fdx_connection( ssl_sock, connection);
+    } else {
+	result = handle_connection( ssl_sock, connection);
+    }
+
+done:
+    PR_Close(ssl_sock);
+    return SECSuccess;
+}
+
+/* Returns IP address for hostname as PRUint32 in Host Byte Order.
+** Since the value returned is an integer (not a string of bytes), 
+** it is inherently in Host Byte Order. 
+*/
+PRUint32
+getIPAddress(const char * hostName) 
+{
+    const unsigned char *p;
+    PRStatus	         prStatus;
+    PRUint32	         rv;
+    PRHostEnt	         prHostEnt;
+    char                 scratch[PR_NETDB_BUF_SIZE];
+
+    prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt);
+    if (prStatus != PR_SUCCESS)
+	errExit("PR_GetHostByName");
+
+#undef  h_addr
+#define h_addr  h_addr_list[0]   /* address, for backward compatibility */
+
+    p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */
+    FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]);
+    rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+    return rv;
+}
+
+void
+client_main(
+    unsigned short      port, 
+    int                 connections, 
+    SECKEYPrivateKey ** privKey,
+    CERTCertificate **  cert, 
+    const char *	hostName,
+    char *		nickName)
+{
+    PRFileDesc *model_sock	= NULL;
+    int         i;
+    int         rv;
+    SECStatus	secStatus;
+    PRUint32	ipAddress;	/* in host byte order */
+    PRNetAddr   addr;
+
+    networkStart();
+
+    /* Assemble NetAddr struct for connections. */
+    ipAddress = getIPAddress(hostName);
+
+    addr.inet.family = PR_AF_INET;
+    addr.inet.port   = PR_htons(port);
+    addr.inet.ip     = PR_htonl(ipAddress);
+
+    /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
+    NSS_SetDomesticPolicy();
+
+/* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    if (cipherString) {
+        int ndx;
+
+        /* disable all the ciphers, then enable the ones we want. */
+        disableSSL2Ciphers();
+        disableSSL3Ciphers();
+
+        while (0 != (ndx = *cipherString++)) {
+            int *cptr;
+            int  cipher;
+
+            if (! isalpha(ndx))
+                Usage("strsclnt");
+            cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+            for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
+                /* do nothing */;
+            if (cipher) {
+                SSL_EnableCipher(cipher, SSL_ALLOWED);
+            }
+        }
+    }
+
+    /* configure model SSL socket. */
+
+    model_sock = PR_NewTCPSocket();
+    if (model_sock == NULL) {
+	errExit("PR_NewTCPSocket on model socket");
+    }
+
+    model_sock = SSL_ImportFD(NULL, model_sock);
+    if (model_sock == NULL) {
+	errExit("SSL_ImportFD");
+    }
+
+    /* do SSL configuration. */
+
+    rv = SSL_Enable(model_sock, SSL_SECURITY, 1);
+    if (rv < 0) {
+	errExit("SSL_Enable SSL_SECURITY");
+    }
+
+    if (bigBuf.data) { /* doing FDX */
+	rv = SSL_Enable(model_sock, SSL_ENABLE_FDX, 1);
+	if (rv < 0) {
+	    errExit("SSL_Enable SSL_ENABLE_FDX");
+	}
+    }
+
+    SSL_SetURL(model_sock, hostName);
+
+    SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
+			    (void *)CERT_GetDefaultCertDB());
+
+    SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
+
+    SSL_GetClientAuthDataHook(model_sock, NSS_GetClientAuthData, nickName);
+
+    /* I'm not going to set the HandshakeCallback function. */
+
+    /* end of ssl configuration. */
+
+    rv = launch_thread(do_connects, &addr, model_sock, 1);
+
+    if (connections > 1) {
+	/* wait for the first connection to terminate, then launch the rest. */
+	reap_threads();
+	/* Start up the connections */
+	for (i = 2; i <= connections; ++i) {
+
+	    rv = launch_thread(do_connects, &addr, model_sock, i);
+
+	}
+    }
+
+    reap_threads();
+    destroy_thread_data();
+
+    PR_Close(model_sock);
+
+    networkEnd();
+}
+
+SECStatus
+readBigFile(const char * fileName)
+{
+    PRFileInfo  info;
+    PRStatus	status;
+    SECStatus	rv	= SECFailure;
+    int		count;
+    int		hdrLen;
+    PRFileDesc *local_file_fd = NULL;
+
+    status = PR_GetFileInfo(fileName, &info);
+
+    if (status == PR_SUCCESS &&
+	info.type == PR_FILE_FILE &&
+	info.size > 0 &&
+	NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) {
+
+	hdrLen      = PORT_Strlen(outHeader);
+	bigBuf.len  = hdrLen + info.size;
+	bigBuf.data = PORT_Malloc(bigBuf.len + 4095);
+	if (!bigBuf.data) {
+	    errWarn("PORT_Malloc");
+	    goto done;
+	}
+
+	PORT_Memcpy(bigBuf.data, outHeader, hdrLen);
+
+	count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size);
+	if (count != info.size) {
+	    errWarn("PR_Read local file");
+	    goto done;
+	}
+	rv = SECSuccess;
+done:
+	PR_Close(local_file_fd);
+    }
+    return rv;
+}
+
+int
+main(int argc, char **argv)
+{
+    char *               dir         = ".";
+    char *               fNickName   = NULL;
+    char *               fileName    = NULL;
+    char *               hostName    = NULL;
+    char *               nickName    = NULL;
+    char *               progName    = NULL;
+    char *               tmp         = NULL;
+    CERTCertificate *    cert   [kt_kea_size] = { NULL };
+    SECKEYPrivateKey *   privKey[kt_kea_size] = { NULL };
+    int                  optchar;
+    int                  connections = 1;
+    unsigned short       port        = 443;
+    SECStatus            rv;
+    PRBool				 useCommandLinePasswd = PR_FALSE;
+    char *				 passwd = NULL;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+    /* Call the NSPR initialization routines */
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    tmp      = strrchr(argv[0], '/');
+    tmp      = tmp ? tmp + 1 : argv[0];
+    progName = strrchr(tmp, '\\');
+    progName = progName ? progName + 1 : tmp;
+ 
+
+    optstate = PL_CreateOptState(argc, argv, "2:C:c:d:f:n:op:vw:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch(optstate->option) {
+
+	case '2':
+	    fileName = optstate->value;
+	    break;
+	case 'C':
+	    cipherString = optstate->value;
+	    break;
+
+	case 'c':
+	    connections = PORT_Atoi(optstate->value);
+	    break;
+
+	case 'd':
+	    dir = optstate->value;
+	    break;
+
+	case 'f':
+	    fNickName = optstate->value;
+	    break;
+
+        case 'n':
+	    nickName = optstate->value;
+	    break;
+	case 'o':
+	    MakeCertOK = 1;
+	    break;
+
+	case 'p':
+	    port = PORT_Atoi(optstate->value);
+	    break;
+
+        case 'v':
+	    verbose++;
+	    break;
+	case 'w':
+	    passwd = optstate->value;
+	    useCommandLinePasswd = PR_TRUE;
+	    break;
+	case '\0':
+	    hostName = PL_strdup(optstate->value);
+	    break;
+	default:
+	case '?':
+	    Usage(progName);
+	    break;
+
+	}
+    }
+    if (!hostName || status == PL_OPT_BAD)
+    	Usage(progName);
+
+    if (port == 0)
+	Usage(progName);
+
+    if (fileName)
+    	readBigFile(fileName);
+
+    /* set our password function */
+	if ( useCommandLinePasswd ) {
+		PK11_SetPasswordFunc(ownPasswd);
+	} else {
+    	PK11_SetPasswordFunc(SECU_GetModulePassword);
+	}
+
+    /* Call the libsec initialization routines */
+    rv = NSS_Init(dir);
+    if (rv != SECSuccess) {
+    	fputs("NSS_Init failed.\n", stderr);
+	exit(1);
+    }
+
+    if (nickName) {
+
+	if (useCommandLinePasswd) {
+		    cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd);
+	} else {
+			cert[kt_rsa] = PK11_FindCertFromNickname(nickName, NULL);
+	}
+	if (cert[kt_rsa] == NULL) {
+	    fprintf(stderr, "Can't find certificate %s\n", nickName);
+	    exit(1);
+	}
+
+	if (useCommandLinePasswd) {
+		    privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd);
+	} else {
+			privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], NULL);
+	}
+
+	if (privKey[kt_rsa] == NULL) {
+	    fprintf(stderr, "Can't find Private Key for cert %s\n", nickName);
+	    exit(1);
+	}
+
+    }
+    if (fNickName) {
+	cert[kt_fortezza] = PK11_FindCertFromNickname(fNickName, NULL);
+	if (cert[kt_fortezza] == NULL) {
+	    fprintf(stderr, "Can't find certificate %s\n", fNickName);
+	    exit(1);
+	}
+
+	privKey[kt_fortezza] = PK11_FindKeyByAnyCert(cert[kt_fortezza], NULL);
+	if (privKey[kt_fortezza] == NULL) {
+	    fprintf(stderr, "Can't find Private Key for cert %s\n", fNickName);
+	    exit(1);
+	}
+    }
+
+    client_main(port, connections, privKey, cert, hostName, nickName);
+
+    /* some final stats. */
+    printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n",
+    	ssl3_hsh_sid_cache_hits, 
+	ssl3_hsh_sid_cache_misses,
+	ssl3_hsh_sid_cache_not_ok);
+
+    NSS_Shutdown();
+    PR_Cleanup();
+    return 0;
+}
+
diff --git a/security/nss/lib/fortcrypt/genci.h b/security/nss/lib/fortcrypt/genci.h
new file mode 100644
index 000000000..7868e1853
--- /dev/null
+++ b/security/nss/lib/fortcrypt/genci.h
@@ -0,0 +1,145 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * the following header file switches between MACI and CI based on
+ * compile options. That lest the rest of the source code operate
+ * without change, even if it only suports CI_ calls, not MACI_ calls
+ */
+#ifndef _GENCI_H_
+#define _GENCI_H_ 1
+#include "seccomon.h"
+
+#if defined (XP_UNIX) || defined (XP_WIN32)
+
+/*
+ * On unix, NT, and Windows '95 we use full maci
+ */
+#include "maci.h"
+
+#define MACI_SEL(x) 
+
+/*
+ * for sec-for.c
+ */
+#define CI_Initialize	MACI_Initialize
+#define CI_Terminate()  { HSESSION hs;\
+			  MACI_GetSessionID(&hs);\
+			  MACI_Terminate(hs); }
+
+#else
+
+/*
+ * On Mac we use the original CI_LIB
+ */
+#include "cryptint.h"
+
+/*
+ * MACI specific values not defined for CI lib
+ */
+#define MACI_SESSION_EXCEEDED     (-53)
+
+#ifndef HSESSION_DEFINE
+typedef unsigned int HSESSION;
+#define HSESSION_DEFINE
+#endif
+
+/*
+ * Map MACI_ calls to CI_ calls. NOTE: this assumes the proper CI_Select
+ * calls are issued in the CI_ case
+ */
+#define MACI_ChangePIN(s,pin,old,new)		CI_ChangePIN(pin,old,new)
+#define MACI_CheckPIN(s,type,pin)   		CI_CheckPIN(type,pin)
+#define MACI_Close(s,flag,socket)		CI_Close(flag,socket)
+#define MACI_Decrypt(s,size,in,out)		CI_Decrypt(size,in,out)
+#define MACI_DeleteCertificate(s,cert)		CI_DeleteCertificate(cert)
+#define MACI_DeleteKey(s,index)			CI_DeleteKey(index)
+#define MACI_Encrypt(s,size,in,out)		CI_Encrypt(size,in,out)
+#define MACI_ExtractX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
+		CI_ExtractX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
+#define MACI_FirmwareUpdate(s,flags,Cksum,len,size,data) \
+			CI_FirmwareUpdate(flags,Cksum,len,size,data)
+#define MACI_GenerateIV(s,iv)			CI_GenerateIV(iv)
+#define MACI_GenerateMEK(s,index,res)		CI_GenerateMEK(index,res)
+#define MACI_GenerateRa(s,Ra)			CI_GenerateRa(Ra)
+#define MACI_GenerateRandom(s,ran)		CI_GenerateRandom(ran)
+#define MACI_GenerateTEK(s,flag,index,Ra,Rb,size,Y) \
+				CI_GenerateTEK(flag,index,Ra,Rb,size,Y)
+#define MACI_GenerateX(s,cert,type,pgSize,qSize,p,q,g,ySize,y) \
+			CI_GenerateX(cert,type,pgSize,qSize,p,q,g,ySize,y)
+#define MACI_GetCertificate(s,cert,val)		CI_GetCertificate(cert,val)
+#define MACI_GetConfiguration(s,config)		CI_GetConfiguration(config)
+#define MACI_GetHash(s,size,data,val)		CI_GetHash(size,data,val)
+#define MACI_GetPersonalityList(s,cnt,list)	CI_GetPersonalityList(cnt,list)
+#define MACI_GetSessionID(s)			CI_OK
+#define MACI_GetState(s,state)			CI_GetState(state)
+#define MACI_GetStatus(s,status)		CI_GetStatus(status)
+#define MACI_GetTime(s,time)			CI_GetTime(time)
+#define MACI_Hash(s,size,data)			CI_Hash(size,data)
+#define MACI_Initialize(count)			CI_Initialize(count)
+#define MACI_InitializeHash(s)			CI_InitializeHash()
+#define MACI_InstallX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
+		CI_InstallX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
+#define MACI_LoadCertificate(s,cert,label,data,res) \
+					CI_LoadCertificate(cert,label,data,res)
+#define MACI_LoadDSAParameters(s,pgSize,qSize,p,q,g) \
+				CI_LoadDSAParameters(pgSize,qSize,p,q,g)
+#define MACI_LoadInitValues(s,seed,Ks)		CI_LoadInitValues(seed,Ks)
+#define MACI_LoadIV(s,iv)			CI_LoadIV(iv)
+#define MACI_LoadX(s,cert,type,pgSize,qSize,p,q,g,x,ySize,y) \
+			CI_LoadX(cert,type,pgSize,qSize,p,q,g,x,ySize,y)
+#define MACI_Lock(s,flags)			CI_Lock(flags)
+#define MACI_Open(s,flags,index)		CI_Open(flags,index)
+#define MACI_RelayX(s,oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX) \
+			CI_RelayX(oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX)
+#define MACI_Reset(s)				CI_Reset()
+#define MACI_Restore(s,type,data)		CI_Restore(type,data)
+#define MACI_Save(s,type,data)			CI_Save(type,data)
+#define MACI_Select(s,socket)			CI_Select(socket)
+#define MACI_SetConfiguration(s,typ,sz,d)	CI_SetConfiguration(typ,sz,d)
+#define MACI_SetKey(s,key)			CI_SetKey(key)
+#define MACI_SetMode(s,type,mode)		CI_SetMode(type,mode)
+#define MACI_SetPersonality(s,index)		CI_SetPersonality(index)
+#define MACI_SetTime(s,time)			CI_SetTime(time)
+#define MACI_Sign(s,hash,sig)			CI_Sign(hash,sig)
+#define MACI_Terminate(s)			CI_Terminate()
+#define MACI_TimeStamp(s,val,sig,time)		CI_TimeStamp(val,sig,time)
+#define MACI_Unlock(s)				CI_Unlock()
+#define MACI_UnwrapKey(s,targ,wrap,key)		CI_UnwrapKey(targ,wrap,key)
+#define MACI_VerifySignature(s,h,siz,y,sig)	CI_VerifySignature(h,siz,y,sig)
+#define MACI_VerifyTimeStamp(s,hash,sig,tim)	CI_VerityTimeStap(hash,sig,tim)
+#define MACI_WrapKey(s,src,wrap,key)		CI_WrapKey(src,wrap,key)
+#define MACI_Zeroize(s)				CI_Zeroize()
+
+#define MACI_SEL(x)	CI_Select(x)
+#endif /* ! XP_UNIX */
+#endif /* _GENCI_H_ */
diff --git a/security/nss/lib/jar/jarevil.c b/security/nss/lib/jar/jarevil.c
new file mode 100644
index 000000000..08fa1ee6c
--- /dev/null
+++ b/security/nss/lib/jar/jarevil.c
@@ -0,0 +1,571 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JAREVIL
+ *
+ *  Wrappers to callback in the mozilla thread
+ *
+ *  Certificate code is unsafe when called outside the
+ *  mozilla thread. These functions push an event on the
+ *  queue to cause the cert function to run in that thread. 
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+#include "jarevil.h"
+
+/* from libevent.h */
+#ifdef MOZILLA_CLIENT_OLD
+typedef void (*ETVoidPtrFunc) (void * data);
+extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
+
+extern void *mozilla_event_queue;
+#endif
+
+
+/* Special macros facilitate running on Win 16 */
+#if defined(XP_PC) && !defined(_WIN32)   /* then we are win 16 */ 
+
+  /* 
+   * Allocate the data passed to the callback functions from the heap...
+   *
+   * This inter-thread structure cannot reside on a thread stack since the 
+   * thread's stack is swapped away with the thread under Win16...
+   */
+
+ #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
+         type * pointer_var_name = PORT_ZAlloc (sizeof(type));               \
+         do {                                                                \
+           if (!pointer_var_name)                                            \
+             return (out_of_memory_return_value);                            \
+         } while (0)   /* and now a semicolon can follow :-) */
+
+ #define FREE_IF_ALLOC_IS_USED(pointer_var_name) PORT_Free(pointer_var_name)
+
+#else /* not win 16... so we can alloc via auto variables */
+
+ #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
+         type actual_structure_allocated_in_macro;                           \
+         type * pointer_var_name = &actual_structure_allocated_in_macro;     \
+         PORT_Memset (pointer_var_name, 0, sizeof (*pointer_var_name));      \
+         ((void) 0) /* and now a semicolon can follow  */
+
+ #define FREE_IF_ALLOC_IS_USED(pointer_var_name) ((void) 0)
+
+#endif /* not Win 16 */
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_encode
+ *
+ *  Call SEC_PKCS7Encode inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_encode
+  {
+  int error;
+  SECStatus status;
+  SEC_PKCS7ContentInfo *cinfo;
+  SEC_PKCS7EncoderOutputCallback outputfn;
+  void *outputarg;
+  PK11SymKey *bulkkey;
+  SECKEYGetPasswordKey pwfn;
+  void *pwfnarg;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_encode_fn (void *data)
+  {
+  SECStatus status;
+  struct EVIL_encode *encode_data = (struct EVIL_encode *)data;
+
+  PORT_SetError (encode_data->error);
+
+  status = SEC_PKCS7Encode (encode_data->cinfo, encode_data->outputfn, 
+                            encode_data->outputarg, encode_data->bulkkey, 
+                            encode_data->pwfn, encode_data->pwfnarg);
+
+  encode_data->status = status;
+  encode_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_encode
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SEC_PKCS7EncoderOutputCallback  outputfn,
+      void *outputarg,
+      PK11SymKey *bulkkey,
+      SECKEYGetPasswordKey pwfn,
+      void *pwfnarg
+      )
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_encode, encode_data, SECFailure);
+
+  encode_data->error     = PORT_GetError();
+  encode_data->cinfo     = cinfo;
+  encode_data->outputfn  = outputfn;
+  encode_data->outputarg = outputarg;
+  encode_data->bulkkey   = bulkkey;
+  encode_data->pwfn      = pwfn;
+  encode_data->pwfnarg   = pwfnarg;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_encode_fn, encode_data);
+  else
+    jar_moz_encode_fn (encode_data);
+#else
+  jar_moz_encode_fn (encode_data);
+#endif
+
+  PORT_SetError (encode_data->error);
+  ret = encode_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(encode_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_verify
+ *
+ *  Call SEC_PKCS7VerifyDetachedSignature inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_verify
+  {
+  int error;
+  SECStatus status;
+  SEC_PKCS7ContentInfo *cinfo;
+  SECCertUsage certusage;
+  SECItem *detached_digest;
+  HASH_HashType digest_type;
+  PRBool keepcerts;
+  };
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_verify_fn (void *data)
+  {
+	PRBool result;
+  struct EVIL_verify *verify_data = (struct EVIL_verify *)data;
+
+  PORT_SetError (verify_data->error);
+
+  result = SEC_PKCS7VerifyDetachedSignature
+        (verify_data->cinfo, verify_data->certusage, verify_data->detached_digest, 
+         verify_data->digest_type, verify_data->keepcerts);
+	
+
+  verify_data->status = result==PR_TRUE ? SECSuccess : SECFailure;
+  verify_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_verify
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SECCertUsage certusage,
+      SECItem *detached_digest,
+      HASH_HashType digest_type,
+      PRBool keepcerts
+      )
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_verify, verify_data, SECFailure);
+
+  verify_data->error           = PORT_GetError();
+  verify_data->cinfo           = cinfo;
+  verify_data->certusage       = certusage;
+  verify_data->detached_digest = detached_digest;
+  verify_data->digest_type     = digest_type;
+  verify_data->keepcerts       = keepcerts;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_verify_fn, verify_data);
+  else
+    jar_moz_verify_fn (verify_data);
+#else
+  jar_moz_verify_fn (verify_data);
+#endif
+
+  PORT_SetError (verify_data->error);
+  ret = verify_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(verify_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_nickname
+ *
+ *  Call CERT_FindCertByNickname inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_nickname
+  {
+  int error;
+  CERTCertDBHandle *certdb;
+  char *nickname;
+  CERTCertificate *cert;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_nickname_fn (void *data)
+  {
+  CERTCertificate *cert;
+  struct EVIL_nickname *nickname_data = (struct EVIL_nickname *)data;
+
+  PORT_SetError (nickname_data->error);
+
+  cert = CERT_FindCertByNickname (nickname_data->certdb, nickname_data->nickname);
+
+  nickname_data->cert  = cert;
+  nickname_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_nickname (CERTCertDBHandle *certdb, char *nickname)
+  {
+  CERTCertificate *cert;
+  ALLOC_OR_DEFINE(struct EVIL_nickname, nickname_data, NULL );
+
+  nickname_data->error    = PORT_GetError();
+  nickname_data->certdb   = certdb;
+  nickname_data->nickname = nickname;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_nickname_fn, nickname_data);
+  else
+    jar_moz_nickname_fn (nickname_data);
+#else
+  jar_moz_nickname_fn (nickname_data);
+#endif
+
+  PORT_SetError (nickname_data->error);
+  cert = nickname_data->cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(nickname_data);
+  return cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_perm
+ *
+ *  Call CERT_AddTempCertToPerm inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_perm
+  {
+  int error;
+  SECStatus status;
+  CERTCertificate *cert;
+  char *nickname;
+  CERTCertTrust *trust;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_perm_fn (void *data)
+  {
+  SECStatus status;
+  struct EVIL_perm *perm_data = (struct EVIL_perm *)data;
+
+  PORT_SetError (perm_data->error);
+
+  status = CERT_AddTempCertToPerm (perm_data->cert, perm_data->nickname, perm_data->trust);
+
+  perm_data->status = status;
+  perm_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_perm 
+    (CERTCertificate *cert, char *nickname, CERTCertTrust *trust)
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_perm, perm_data, SECFailure);
+
+  perm_data->error    = PORT_GetError();
+  perm_data->cert     = cert;
+  perm_data->nickname = nickname;
+  perm_data->trust    = trust;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_perm_fn, perm_data);
+  else
+    jar_moz_perm_fn (perm_data);
+#else
+  jar_moz_perm_fn (perm_data);
+#endif
+
+  PORT_SetError (perm_data->error);
+  ret = perm_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(perm_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_certkey
+ *
+ *  Call CERT_FindCertByKey inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_certkey
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertDBHandle *certdb;
+  SECItem *seckey;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_certkey_fn (void *data)
+  {
+  CERTCertificate *cert;
+  struct EVIL_certkey *certkey_data = (struct EVIL_certkey *)data;
+
+  PORT_SetError (certkey_data->error);
+
+  cert = CERT_FindCertByKey (certkey_data->certdb, certkey_data->seckey);
+
+  certkey_data->cert = cert;
+  certkey_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_certkey (CERTCertDBHandle *certdb, SECItem *seckey)
+  {
+  CERTCertificate *cert;
+  ALLOC_OR_DEFINE(struct EVIL_certkey, certkey_data, NULL);
+
+  certkey_data->error  = PORT_GetError();
+  certkey_data->certdb = certdb;
+  certkey_data->seckey = seckey;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_certkey_fn, certkey_data);
+  else
+    jar_moz_certkey_fn (certkey_data);
+#else
+  jar_moz_certkey_fn (certkey_data);
+#endif
+
+  PORT_SetError (certkey_data->error);
+  cert = certkey_data->cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(certkey_data);
+  return cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_issuer
+ *
+ *  Call CERT_FindCertIssuer inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_issuer
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertificate *issuer;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_issuer_fn (void *data)
+  {
+  CERTCertificate *issuer;
+  struct EVIL_issuer *issuer_data = (struct EVIL_issuer *)data;
+
+  PORT_SetError (issuer_data->error);
+
+  issuer = CERT_FindCertIssuer (issuer_data->cert, PR_Now(),
+				certUsageObjectSigner);
+
+  issuer_data->issuer = issuer;
+  issuer_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_issuer (CERTCertificate *cert)
+  {
+  CERTCertificate *issuer_cert;
+  ALLOC_OR_DEFINE(struct EVIL_issuer, issuer_data, NULL);
+
+  issuer_data->error = PORT_GetError();
+  issuer_data->cert  = cert;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_issuer_fn, issuer_data);
+  else
+    jar_moz_issuer_fn (issuer_data);
+#else
+  jar_moz_issuer_fn (issuer_data);
+#endif
+
+  PORT_SetError (issuer_data->error);
+  issuer_cert = issuer_data->issuer;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(issuer_data);
+  return issuer_cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_dup
+ *
+ *  Call CERT_DupCertificate inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_dup
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertificate *return_cert;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_dup_fn (void *data)
+  {
+  CERTCertificate *return_cert;
+  struct EVIL_dup *dup_data = (struct EVIL_dup *)data;
+
+  PORT_SetError (dup_data->error);
+
+  return_cert = CERT_DupCertificate (dup_data->cert);
+
+  dup_data->return_cert = return_cert;
+  dup_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_dup (CERTCertificate *cert)
+  {
+  CERTCertificate *dup_cert;
+  ALLOC_OR_DEFINE(struct EVIL_dup, dup_data, NULL);
+
+  dup_data->error = PORT_GetError();
+  dup_data->cert  = cert;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_dup_fn, dup_data);
+  else
+    jar_moz_dup_fn (dup_data);
+#else
+  jar_moz_dup_fn (dup_data);
+#endif
+
+  PORT_SetError (dup_data->error);
+  dup_cert = dup_data->return_cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(dup_data);
+  return dup_cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
diff --git a/security/coreconf/nsinstall/pathsub.h b/security/nss/lib/jar/jarnav.c
index 718c2206f..865ded5da 100644
--- a/security/coreconf/nsinstall/pathsub.h
+++ b/security/nss/lib/jar/jarnav.c
@@ -1,4 +1,4 @@
-/* 
+/*
  * The contents of this file are subject to the Mozilla Public
  * License Version 1.1 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of
@@ -31,47 +31,77 @@
  * GPL.
  */
 
-#ifndef pathsub_h___
-#define pathsub_h___
 /*
-** Pathname subroutines.
-**
-** Brendan Eich, 8/29/95
-*/
-#include <limits.h>
-#include <sys/types.h>
+ *  JARNAV.C
+ *
+ *  JAR stuff needed for client only.
+ *
+ */
 
-#if SUNOS4
-#include "sunos4.h"
-#endif
+#include "jar.h"
+#include "jarint.h"
 
-#ifndef PATH_MAX
-#define PATH_MAX 1024
+/* from proto.h */
+#ifdef MOZILLA_CLIENT_OLD
+extern MWContext *XP_FindSomeContext(void);
 #endif
 
+/* sigh */
+extern MWContext *FE_GetInitContext(void);
+
+/* To return an MWContext for Java */
+static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
+
+/* To fabricate an MWContext for FE_GetPassword */
+static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
+
 /*
- * Just keep sane lengths
+ *  J A R _ i n i t
+ *
+ *  Initialize the JAR functions.
+ * 
  */
-#undef NAME_MAX
-#define NAME_MAX 256
 
-extern char *program;
+void JAR_init (void)
+  {
+#ifdef MOZILLA_CLIENT_OLD
+  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
+#else
+  JAR_init_callbacks (XP_GetString, NULL, NULL);
+#endif
+  }
 
-extern void fail(char *format, ...);
-extern char *getcomponent(char *path, char *name);
-extern char *ino2name(ino_t ino, char *dir);
-extern void *xmalloc(size_t size);
-extern char *xstrdup(char *s);
-extern char *xbasename(char *path);
-extern void xchdir(char *dir);
+/*
+ *  J A R _ s e t _ c o n t e x t
+ *
+ *  Set the jar window context for use by PKCS11, since
+ *  it may be needed to prompt the user for a password.
+ *
+ */
 
-/* Relate absolute pathnames from and to returning the result in outpath. */
-extern int relatepaths(char *from, char *to, char *outpath);
+int JAR_set_context (JAR *jar, MWContext *mw)
+  {
+  if (mw)
+    {
+    jar->mw = mw;
+    }
+  else
+    {
+    /* jar->mw = XP_FindSomeContext(); */
+    jar->mw = NULL;
 
-/* NOTE: changes current working directory -- caveat emptor */
-extern void reversepath(char *inpath, char *name, int len, char *outpath);
+    /*
+     * We can't find a context because we're in startup state and none
+     * exist yet. go get an FE_InitContext that only works at initialization
+     * time.
+     */
 
-/* stats every directory in path, reports results. */
-extern void diagnosePath(const char * path);
+    /* Turn on the mac when we get the FE_ function */
+    if (jar->mw == NULL)
+      {
+      jar->mw = jar_fn_GetInitContext();
+      }
+   }
 
-#endif /* pathsub_h___ */
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c
new file mode 100644
index 000000000..d03f980b0
--- /dev/null
+++ b/security/nss/lib/jar/jarsign.c
@@ -0,0 +1,377 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARSIGN
+ *
+ *  Routines used in signing archives.
+ */
+
+
+#define USE_MOZ_THREAD
+
+#include "jar.h"
+#include "jarint.h"
+
+#ifdef USE_MOZ_THREAD
+#include "jarevil.h"
+#endif
+
+#include "pk11func.h"
+
+/* from libevent.h */
+typedef void (*ETVoidPtrFunc) (void * data);
+
+#ifdef MOZILLA_CLIENT_OLD
+
+extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
+
+/* from proto.h */
+/* extern MWContext *XP_FindSomeContext(void); */
+extern void *XP_FindSomeContext(void);
+
+#endif
+
+/* key database wrapper */
+
+/* static SECKEYKeyDBHandle *jar_open_key_database (void); */
+
+/* CHUNQ is our bite size */
+
+#define CHUNQ 64000
+#define FILECHUNQ 32768
+
+/*
+ *  J A R _ c a l c u l a t e _ d i g e s t 
+ *
+ *  Quick calculation of a digest for
+ *  the specified block of memory. Will calculate
+ *  for all supported algorithms, now MD5.
+ *
+ *  This version supports huge pointers for WIN16.
+ * 
+ */
+
+JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
+  {
+  long chunq;
+  JAR_Digest *dig;
+
+  unsigned int md5_length, sha1_length;
+
+  PK11Context *md5  = 0;
+  PK11Context *sha1 = 0;
+
+  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
+
+  if (dig == NULL) 
+    {
+    /* out of memory allocating digest */
+    return NULL;
+    }
+
+#if defined(XP_WIN16)
+  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
+#endif
+
+  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
+  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+  if (length >= 0) 
+    {
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    do {
+       chunq = length;
+
+#ifdef XP_WIN16
+       if (length > CHUNQ) chunq = CHUNQ;
+
+       /*
+        *  If the block of data crosses one or more segment 
+        *  boundaries then only pass the chunk of data in the 
+        *  first segment.
+        * 
+        *  This allows the data to be treated as FAR by the
+        *  PK11_DigestOp(...) routine.
+        *
+        */
+
+       if (OFFSETOF(data) + chunq >= 0x10000) 
+         chunq = 0x10000 - OFFSETOF(data);
+#endif
+
+       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
+       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
+
+       length -= chunq;
+       data = ((char ZHUGEP *) data + chunq);
+       } 
+    while (length > 0);
+
+    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5,  PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+    }
+
+  return dig;
+  }
+
+/*
+ *  J A R _ d i g e s t _ f i l e
+ *
+ *  Calculates the MD5 and SHA1 digests for a file 
+ *  present on disk, and returns these in JAR_Digest struct.
+ *
+ */
+
+int JAR_digest_file (char *filename, JAR_Digest *dig)
+    {
+    JAR_FILE fp;
+
+    int num;
+    unsigned char *buf;
+
+    PK11Context *md5 = 0;
+    PK11Context *sha1 = 0;
+
+    unsigned int md5_length, sha1_length;
+
+    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
+    if (buf == NULL)
+      {
+      /* out of memory */
+      return JAR_ERR_MEMORY;
+      }
+ 
+    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
+      {
+      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
+      PORT_Free (buf);
+      return JAR_ERR_FNF;
+      }
+
+    md5 = PK11_CreateDigestContext (SEC_OID_MD5);
+    sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+    if (md5 == NULL || sha1 == NULL) 
+      {
+      /* can't generate digest contexts */
+      PORT_Free (buf);
+      JAR_FCLOSE (fp);
+      return JAR_ERR_GENERAL;
+      }
+
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    while (1)
+      {
+      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
+        break;
+
+      PK11_DigestOp (md5, buf, num);
+      PK11_DigestOp (sha1, buf, num);
+      }
+
+    PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5, PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+
+    PORT_Free (buf);
+    JAR_FCLOSE (fp);
+
+    return 0;
+    }
+
+/*
+ *  J A R _ o p e n _ k e y _ d a t a b a s e
+ *
+ */
+
+SECKEYKeyDBHandle *jar_open_key_database (void)
+  {
+  SECKEYKeyDBHandle *keydb;
+
+  keydb = SECKEY_GetDefaultKeyDB();
+
+  if (keydb == NULL)
+    { /* open by file if this fails, if jartool is to call this */ ; }
+
+  return keydb;
+  }
+
+int jar_close_key_database (SECKEYKeyDBHandle *keydb)
+  {
+  /* We never do close it */
+  return 0;
+  }
+
+
+/*
+ *  j a r _ c r e a t e _ p k 7
+ *
+ */
+
+static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
+  {
+  JAR_FWRITE ((JAR_FILE) arg, buf, len);
+  }
+
+int jar_create_pk7 
+   (CERTCertDBHandle *certdb, SECKEYKeyDBHandle *keydb, 
+       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
+  {
+  int nb;
+  unsigned char buffer [4096], digestdata[32];
+  SECHashObject *hashObj;
+  void *hashcx;
+  unsigned int len;
+
+  int status = 0;
+  char *errstring;
+
+  SECItem digest;
+  SEC_PKCS7ContentInfo *cinfo;
+  SECStatus rv;
+
+  void /*MWContext*/ *mw;
+
+  if (outfp == NULL || infp == NULL || cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* we sign with SHA */
+  hashObj = &SECHashObjects [HASH_AlgSHA1];
+
+  hashcx = (* hashObj->create)();
+  if (hashcx == NULL)
+    return JAR_ERR_GENERAL;
+
+  (* hashObj->begin)(hashcx);
+
+  while (1)
+    {
+    /* nspr2.0 doesn't support feof 
+       if (feof (infp)) break; */
+
+    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
+    if (nb == 0) 
+      {
+#if 0
+      if (ferror(infp)) 
+        {
+        /* PORT_SetError(SEC_ERROR_IO); */ /* FIX */
+	(* hashObj->destroy) (hashcx, PR_TRUE);
+	return JAR_ERR_GENERAL;
+        }
+#endif
+      /* eof */
+      break;
+      }
+    (* hashObj->update) (hashcx, buffer, nb);
+    }
+
+  (* hashObj->end) (hashcx, digestdata, &len, 32);
+  (* hashObj->destroy) (hashcx, PR_TRUE);
+
+  digest.data = digestdata;
+  digest.len = len;
+
+  /* signtool must use any old context it can find since it's
+     calling from inside javaland. */
+
+#ifdef MOZILLA_CLIENT_OLD
+  mw = XP_FindSomeContext();
+#else
+  mw = NULL;
+#endif
+
+  PORT_SetError (0);
+
+  cinfo = SEC_PKCS7CreateSignedData 
+             (cert, certUsageObjectSigner, NULL, 
+                SEC_OID_SHA1, &digest, NULL, (void *) mw);
+
+  if (cinfo == NULL)
+    return JAR_ERR_PK7;
+
+  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
+  if (rv != SECSuccess) 
+    {
+    status = PORT_GetError();
+    SEC_PKCS7DestroyContentInfo (cinfo);
+    return status;
+    }
+
+  /* Having this here forces signtool to always include
+     signing time. */
+
+  rv = SEC_PKCS7AddSigningTime (cinfo);
+  if (rv != SECSuccess)
+    {
+    /* don't check error */
+    }
+
+  PORT_SetError (0);
+
+#ifdef USE_MOZ_THREAD
+  /* if calling from mozilla */
+  rv = jar_moz_encode
+             (cinfo, jar_pk7_out, outfp, 
+                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
+#else
+  /* if calling from mozilla thread*/
+  rv = SEC_PKCS7Encode 
+             (cinfo, jar_pk7_out, outfp, 
+                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw):
+#endif
+
+  if (rv != SECSuccess)
+    status = PORT_GetError();
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  if (rv != SECSuccess)
+    {
+    errstring = JAR_get_error (status);
+    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
+    return status < 0 ? status : JAR_ERR_GENERAL;
+    }
+
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
new file mode 100644
index 000000000..914818479
--- /dev/null
+++ b/security/nss/lib/jar/jarver.c
@@ -0,0 +1,2029 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARVER
+ *
+ *  Jarnature Parsing & Verification
+ */
+
+#define USE_MOZ_THREAD
+
+#include "jar.h"
+#include "jarint.h"
+
+#ifdef USE_MOZ_THREAD
+#include "jarevil.h"
+#endif
+#include "cdbhdl.h"
+
+/* to use huge pointers in win16 */
+
+#if !defined(XP_WIN16)
+#define xp_HUGE_MEMCPY PORT_Memcpy
+#define xp_HUGE_STRCPY PORT_Strcpy
+#define xp_HUGE_STRLEN PORT_Strlen
+#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
+#else
+#define xp_HUGE_MEMCPY hmemcpy
+int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len);
+size_t xp_HUGE_STRLEN (char ZHUGEP *s);
+char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from);
+#endif
+
+/* from certdb.h */
+#define CERTDB_USER (1<<6)
+
+#if 0
+/* from certdb.h */
+extern PRBool SEC_CertNicknameConflict
+   (char *nickname, CERTCertDBHandle *handle);
+/* from certdb.h */
+extern SECStatus SEC_AddTempNickname
+   (CERTCertDBHandle *handle, char *nickname, SECItem *certKey);
+/* from certdb.h */
+typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k, void *pdata);
+#endif
+
+/* from certdb.h */
+SECStatus SEC_TraversePermCerts
+   (CERTCertDBHandle *handle, PermCertCallback certfunc, void *udata);
+
+
+#define SZ 512
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length);
+
+static int jar_decode (JAR *jar, char *data, long length);
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len);
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
+
+static char ZHUGEP *jar_eat_line 
+     (int lines, int eating, char ZHUGEP *data, long *len);
+
+static JAR_Digest *jar_digest_section 
+     (char ZHUGEP *manifest, long length);
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
+
+static CERTCertificate *jar_get_certificate
+            (JAR *jar, long keylen, void *key, int *result);
+
+static char *jar_cert_element (char *name, char *tag, int occ);
+
+static char *jar_choose_nickname (CERTCertificate *cert);
+
+static char *jar_basename (const char *path);
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname);
+
+static int jar_insanity_check (char ZHUGEP *data, long length);
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
+
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
+
+/*
+ *  J A R _ p a r s e _ m a n i f e s t
+ * 
+ *  Pass manifest files to this function. They are
+ *  decoded and placed into internal representations.
+ * 
+ *  Accepts both signature and manifest files. Use
+ *  the same "jar" for both. 
+ *
+ */
+
+int JAR_parse_manifest 
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+
+#if defined(XP_WIN16)
+    PORT_Assert( !IsBadHugeReadPtr(raw_manifest, length) );
+#endif
+
+  /* fill in the path, if supplied. This is a the location
+     of the jar file on disk, if known */
+
+  if (jar->filename == NULL && path)
+    {
+    jar->filename = PORT_Strdup (path);
+    if (jar->filename == NULL)
+      return JAR_ERR_MEMORY;
+    }
+
+  /* fill in the URL, if supplied. This is the place
+     from which the jar file was retrieved. */
+
+  if (jar->url == NULL && url)
+    {
+    jar->url = PORT_Strdup (url);
+    if (jar->url == NULL)
+      return JAR_ERR_MEMORY;
+    }
+
+  /* Determine what kind of file this is from the META-INF 
+     directory. It could be MF, SF, or a binary RSA/DSA file */
+
+  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
+    {
+    return jar_parse_mf (jar, raw_manifest, length, path, url);
+    }
+  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
+    {
+    return jar_parse_sf (jar, raw_manifest, length, path, url);
+    }
+  else
+    {
+    /* This is probably a binary signature */
+    return jar_parse_sig (jar, path, raw_manifest, length);
+    }
+  }
+
+/*
+ *  j a r _ p a r s e _ s i g
+ *
+ *  Pass some manner of RSA or DSA digital signature
+ *  on, after checking to see if it comes at an appropriate state.
+ *
+ */
+ 
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
+  {
+  JAR_Signer *signer;
+  int status = JAR_ERR_ORDER;
+
+  if (length <= 128) 
+    {
+    /* signature is way too small */
+    return JAR_ERR_SIG;
+    }
+
+  /* make sure that MF and SF have already been processed */
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_ORDER;
+
+#if 0
+  /* XXX Turn this on to disable multiple signers */
+  if (jar->digest == NULL)
+    return JAR_ERR_ORDER;
+#endif
+
+  /* Determine whether or not this RSA file has
+     has an associated SF file */
+
+  if (path)
+    {
+    char *owner;
+    owner = jar_basename (path);
+
+    if (owner == NULL)
+      return JAR_ERR_MEMORY;
+
+    signer = jar_get_signer (jar, owner);
+
+    PORT_Free (owner);
+    }
+  else
+    signer = jar_get_signer (jar, "*");
+
+  if (signer == NULL)
+    return JAR_ERR_ORDER;
+
+
+  /* Do not pass a huge pointer to this function,
+     since the underlying security code is unaware. We will
+     never pass >64k through here. */
+
+  if (length > 64000)
+    {
+    /* this digital signature is way too big */
+    return JAR_ERR_SIG;
+    }
+
+#ifdef XP_WIN16
+  /*
+   * For Win16, copy the portion of the raw_buffer containing the digital 
+   * signature into another buffer...  This insures that the data will
+   * NOT cross a segment boundary.  Therefore, 
+   * jar_parse_digital_signature(...) does NOT need to deal with HUGE 
+   * pointers...
+   */
+
+    {
+    unsigned char *manifest_copy;
+
+    manifest_copy = (unsigned char *) PORT_ZAlloc (length);
+    if (manifest_copy)
+      {
+      xp_HUGE_MEMCPY (manifest_copy, raw_manifest, length);
+
+      status = jar_parse_digital_signature 
+                  (manifest_copy, signer, length, jar);
+
+      PORT_Free (manifest_copy);
+      }
+    else
+      {
+      /* out of memory */
+      return JAR_ERR_MEMORY;
+      }
+    }
+#else
+  /* don't expense unneeded calloc overhead on non-win16 */
+  status = jar_parse_digital_signature 
+                (raw_manifest, signer, length, jar);
+#endif
+
+  return status;
+  }
+
+/*
+ *  j a r _ p a r s e _ m f
+ *
+ *  Parse the META-INF/manifest.mf file, whose
+ *  information applies to all signers.
+ *
+ */
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  if (jar->globalmeta)
+    {
+    /* refuse a second manifest file, if passed for some reason */
+    return JAR_ERR_ORDER;
+    }
+
+
+  /* remember a digest for the global section */
+
+  jar->globalmeta = jar_digest_section (raw_manifest, length);
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_MEMORY;
+
+
+  return jar_parse_any 
+    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
+  }
+
+/*
+ *  j a r _ p a r s e _ s f
+ *
+ *  Parse META-INF/xxx.sf, a digitally signed file
+ *  pointing to a subset of MF sections. 
+ *
+ */
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  JAR_Signer *signer = NULL;
+  int status = JAR_ERR_MEMORY;
+
+  if (jar->globalmeta == NULL)
+    {
+    /* It is a requirement that the MF file be passed before the SF file */
+    return JAR_ERR_ORDER;
+    }
+
+  signer = JAR_new_signer();
+
+  if (signer == NULL)
+    goto loser;
+
+  if (path)
+    {
+    signer->owner = jar_basename (path);
+    if (signer->owner == NULL)
+      goto loser;
+    }
+
+
+  /* check for priors. When someone doctors a jar file
+     to contain identical path entries, prevent the second
+     one from affecting JAR functions */
+
+  if (jar_get_signer (jar, signer->owner))
+    {
+    /* someone is trying to spoof us */
+    status = JAR_ERR_ORDER;
+    goto loser;
+    }
+
+
+  /* remember its digest */
+
+  signer->digest = JAR_calculate_digest (raw_manifest, length);
+
+  if (signer->digest == NULL)
+    goto loser;
+
+  /* Add this signer to the jar */
+
+  ADDITEM (jar->signers, jarTypeOwner, 
+     signer->owner, signer, sizeof (JAR_Signer));
+
+
+  return jar_parse_any 
+    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
+
+loser:
+
+  if (signer)
+    JAR_destroy_signer (signer);
+
+  return status;
+  }
+
+/* 
+ *  j a r _ p a r s e _ a n y
+ *
+ *  Parse a MF or SF manifest file. 
+ *
+ */
+ 
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  int status;
+
+  long raw_len;
+
+  JAR_Digest *dig, *mfdig = NULL;
+
+  char line [SZ];
+  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
+
+  char *x_info;
+
+  char *sf_md5 = NULL, *sf_sha1 = NULL;
+
+  *x_name = 0;
+  *x_md5 = 0;
+  *x_sha = 0;
+
+  PORT_Assert( length > 0 );
+  raw_len = length;
+
+#ifdef DEBUG
+  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
+    return status;
+#endif
+
+
+  /* null terminate the first line */
+  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
+
+
+  /* skip over the preliminary section */
+  /* This is one section at the top of the file with global metainfo */
+
+  while (raw_len)
+    {
+    JAR_Metainfo *met;
+
+    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+    if (!*raw_manifest) break;
+
+    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+    if (met == NULL)
+      return JAR_ERR_MEMORY;
+
+    /* Parse out the header & info */
+
+    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+      {
+      /* almost certainly nonsense */
+      continue;
+      }
+
+    xp_HUGE_STRCPY (line, raw_manifest);
+    x_info = line;
+
+    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+      x_info++;
+
+    if (*x_info) *x_info++ = 0;
+
+    while (*x_info == ' ' || *x_info == '\t')
+      x_info++;
+
+    /* metainfo (name, value) pair is now (line, x_info) */
+
+    met->header = PORT_Strdup (line);
+    met->info = PORT_Strdup (x_info);
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->metainfo, jarTypeMeta, 
+         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
+      }
+
+    /* For SF files, this metadata may be the digests
+       of the MF file, still in the "met" structure. */
+
+    if (type == jarTypeSF)
+      {
+      if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        sf_md5 = (char *) met->info;
+
+      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
+        sf_sha1 = (char *) met->info;
+      }
+    }
+
+  if (type == jarTypeSF && jar->globalmeta)
+    {
+    /* this is a SF file which may contain a digest of the manifest.mf's 
+       global metainfo. */
+
+    int match = 0;
+    JAR_Digest *glob = jar->globalmeta;
+
+    if (sf_md5)
+      {
+      unsigned int md5_length;
+      unsigned char *md5_digest;
+
+      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
+      PORT_Assert( md5_length == MD5_LENGTH );
+
+      if (md5_length != MD5_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
+      }
+
+    if (sf_sha1 && match == 0)
+      {
+      unsigned int sha1_length;
+      unsigned char *sha1_digest;
+
+      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
+      PORT_Assert( sha1_length == SHA1_LENGTH );
+
+      if (sha1_length != SHA1_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
+      }
+
+    if (match != 0)
+      {
+      /* global digest doesn't match, SF file therefore invalid */
+      jar->valid = JAR_ERR_METADATA;
+      return JAR_ERR_METADATA;
+      }
+    }
+
+  /* done with top section of global data */
+
+
+  while (raw_len)
+    {
+    *x_md5 = 0;
+    *x_sha = 0;
+    *x_name = 0;
+
+
+    /* If this is a manifest file, attempt to get a digest of the following section, 
+       without damaging it. This digest will be saved later. */
+
+    if (type == jarTypeMF)
+      {
+      char ZHUGEP *sec;
+      long sec_len = raw_len;
+
+      if (!*raw_manifest || *raw_manifest == '\n')
+        {     
+        /* skip the blank line */ 
+        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
+        }
+      else
+        sec = raw_manifest;
+
+      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
+        {
+        if (type == jarTypeMF)
+          mfdig = jar_digest_section (sec, sec_len);
+        else
+          mfdig = NULL;
+        }
+      }
+
+
+    while (raw_len)
+      {
+      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+      if (!*raw_manifest) break; /* blank line, done with this entry */
+
+      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+        {
+        /* almost certainly nonsense */
+        continue;
+        }
+
+
+      /* Parse out the name/value pair */
+
+      xp_HUGE_STRCPY (line, raw_manifest);
+      x_info = line;
+
+      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+        x_info++;
+
+      if (*x_info) *x_info++ = 0;
+
+      while (*x_info == ' ' || *x_info == '\t') 
+        x_info++;
+
+
+      if (!PORT_Strcasecmp (line, "Name"))
+        PORT_Strcpy (x_name, x_info);
+
+      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        PORT_Strcpy (x_md5, x_info);
+
+      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
+                  || !PORT_Strcasecmp (line, "SHA-Digest"))
+        {
+        PORT_Strcpy (x_sha, x_info);
+        }
+
+      /* Algorithm list is meta info we don't care about; keeping it out
+         of metadata saves significant space for large jar files */
+
+      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
+                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
+        {
+        continue;
+        }
+
+      /* Meta info is only collected for the manifest.mf file,
+         since the JAR_get_metainfo call does not support identity */
+
+      else if (type == jarTypeMF)
+        {
+        JAR_Metainfo *met;
+
+        /* this is meta-data */
+
+        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+
+        if (met == NULL)
+          return JAR_ERR_MEMORY;
+
+        /* metainfo (name, value) pair is now (line, x_info) */
+
+        if ((met->header = PORT_Strdup (line)) == NULL)
+          return JAR_ERR_MEMORY;
+
+        if ((met->info = PORT_Strdup (x_info)) == NULL)
+          return JAR_ERR_MEMORY;
+
+        ADDITEM (jar->metainfo, jarTypeMeta, 
+           x_name, met, sizeof (JAR_Metainfo));
+        }
+      }
+
+	if(!x_name || !*x_name) {
+		/* Whatever that was, it wasn't an entry, because we didn't get a name.
+		 * We don't really have anything, so don't record this. */
+		continue;
+	}
+
+    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
+    if (dig == NULL)
+      return JAR_ERR_MEMORY;
+
+    if (*x_md5 ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
+      PORT_Assert( binary_length == MD5_LENGTH );
+
+      if (binary_length != MD5_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      memcpy (dig->md5, binary_digest, MD5_LENGTH);
+      dig->md5_status = jarHashPresent;
+      }
+
+    if (*x_sha ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
+      PORT_Assert( binary_length == SHA1_LENGTH );
+
+      if (binary_length != SHA1_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
+      dig->sha1_status = jarHashPresent;
+      }
+
+    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
+
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else if (type == jarTypeSF)
+      {
+      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else
+      return JAR_ERR_ORDER;
+
+    /* we're placing these calculated digests of manifest.mf 
+       sections in a list where they can subsequently be forgotten */
+
+    if (type == jarTypeMF && mfdig)
+      {
+      ADDITEM (jar->manifest, jarTypeSect, 
+         x_name, mfdig, sizeof (JAR_Digest));
+
+      mfdig = NULL;
+      }
+
+
+    /* Retrieve our saved SHA1 digest from saved copy and check digests.
+       This is just comparing the digest of the MF section as indicated in
+       the SF file with the one we remembered from parsing the MF file */
+
+    if (type == jarTypeSF)
+      {
+      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
+        return status;
+      }
+    }
+
+  return 0;
+  }
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
+  {
+  int cv;
+  int status;
+
+  JAR_Digest *savdig;
+
+  savdig = jar_get_mf_digest (jar, x_name);
+
+  if (savdig == NULL)
+    {
+    /* no .mf digest for this pathname */
+    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
+    if (status < 0) 
+      return 0; /* was continue; */
+    else 
+      return status;
+    }
+
+  /* check for md5 consistency */
+  if (dig->md5_status)
+    {
+    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
+    /* md5 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->md5_status = jarHashBad;
+      savdig->md5_status = jarHashBad;
+
+      if (status < 0) 
+        return 0; /* was continue; */
+      else 
+        return status;
+      }
+    }
+
+  /* check for sha1 consistency */
+  if (dig->sha1_status)
+    {
+    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
+    /* sha1 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->sha1_status = jarHashBad;
+      savdig->sha1_status = jarHashBad;
+
+      if (status < 0)
+        return 0; /* was continue; */
+      else
+        return status;
+      }
+    }
+	return 0;
+  }
+
+#ifdef DEBUG
+/*
+ *  j a r _ i n s a n i t y _ c h e c k
+ *
+ *  Check for illegal characters (or possibly so)
+ *  in the manifest files, to detect potential memory
+ *  corruption by our neighbors. Debug only, since
+ *  not I18N safe.
+ * 
+ */
+
+static int jar_insanity_check (char ZHUGEP *data, long length)
+  {
+  int c;
+  long off;
+
+  for (off = 0; off < length; off++)
+    {
+    c = data [off];
+
+    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
+      continue;
+
+    return JAR_ERR_CORRUPT;
+    }
+
+  return 0;
+  }
+#endif
+
+/*
+ *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
+ *
+ *  Parse an RSA or DSA (or perhaps other) digital signature.
+ *  Right now everything is PKCS7.
+ *
+ */
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
+  {
+#if defined(XP_WIN16)
+  PORT_Assert( LOWORD(raw_manifest) + length < 0xFFFF );
+#endif
+  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
+  }
+
+/*
+ *  j a r _ a d d _ c e r t
+ * 
+ *  Add information for the given certificate
+ *  (or whatever) to the JAR linked list. A pointer
+ *  is passed for some relevant reference, say
+ *  for example the original certificate.
+ *
+ */
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
+  {
+  JAR_Cert *fing;
+
+  if (cert == NULL)
+    return JAR_ERR_ORDER;
+
+  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
+
+  if (fing == NULL)
+    goto loser;
+
+#ifdef USE_MOZ_THREAD
+  fing->cert = jar_moz_dup (cert);
+#else
+  fing->cert = CERT_DupCertificate (cert);
+#endif
+
+  /* get the certkey */
+
+  fing->length = cert->certKey.len;
+
+  fing->key = (char *) PORT_ZAlloc (fing->length);
+
+  if (fing->key == NULL)
+    goto loser;
+
+  PORT_Memcpy (fing->key, cert->certKey.data, fing->length);
+
+  ADDITEM (signer->certs, type, 
+    /* pathname */ NULL, fing, sizeof (JAR_Cert));
+
+  return 0;
+
+loser:
+
+  if (fing)
+    {
+    if (fing->cert) 
+      CERT_DestroyCertificate (fing->cert);
+
+    PORT_Free (fing);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
+/*
+ *  e a t _ l i n e 
+ *
+ *  Consume an ascii line from the top of a file kept
+ *  in memory. This destroys the file in place. This function
+ *  handles PC, Mac, and Unix style text files.
+ *
+ */
+
+static char ZHUGEP *jar_eat_line 
+    (int lines, int eating, char ZHUGEP *data, long *len)
+  {
+  char ZHUGEP *ret;
+
+  ret = data;
+  if (!*len) return ret;
+
+  /* Eat the requisite number of lines, if any; 
+     prior to terminating the current line with a 0. */
+
+  for (/* yip */ ; lines; lines--)
+    {
+    while (*data && *data != '\n')
+      data++;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      data++;
+
+    /* If there are zeros, we put them there */
+
+    while (*data == 0 && data - ret < *len)
+      data++;
+    }
+
+  *len -= data - ret;
+  ret = data;
+
+  if (eating)
+    {
+    /* Terminate this line with a 0 */ 
+
+    while (*data && *data != '\n' && *data != '\r')
+      data++;
+
+    /* In any case we are allowed to eat CR */
+
+    if (*data == '\r')
+      *data++ = 0;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      *data++ = 0;
+    }
+
+  return ret;
+  }
+
+/*
+ *  j a r _ d i g e s t _ s e c t i o n
+ *
+ *  Return the digests of the next section of the manifest file.
+ *  Does not damage the manifest file, unlike parse_manifest.
+ * 
+ */
+
+static JAR_Digest *jar_digest_section 
+    (char ZHUGEP *manifest, long length)
+  {
+  long global_len;
+  char ZHUGEP *global_end;
+
+  global_end = manifest;
+  global_len = length;
+
+  while (global_len)
+    {
+    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
+    if (*global_end == 0 || *global_end == '\n')
+      break;
+    }
+
+  return JAR_calculate_digest (manifest, global_end - manifest);
+  }
+
+/*
+ *  J A R _ v e r i f y _ d i g e s t
+ *
+ *  Verifies that a precalculated digest matches the
+ *  expected value in the manifest.
+ *
+ */
+
+int PR_CALLBACK JAR_verify_digest
+    (JAR *jar, const char *name, JAR_Digest *dig)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *shindig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  int result1, result2;
+
+  list = jar->hashes;
+
+  result1 = result2 = 0;
+
+  if (jar->valid < 0)
+    {
+    /* signature not valid */
+    return JAR_ERR_SIG;
+    }
+
+  if (ZZ_ListEmpty (list))
+    {
+    /* empty list */
+    return JAR_ERR_PNF;
+    }
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeMF 
+           && it->pathname && !PORT_Strcmp (it->pathname, name))
+      {
+      shindig = (JAR_Digest *) it->data;
+
+      if (shindig->md5_status)
+        {
+        if (shindig->md5_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
+        }
+
+      if (shindig->sha1_status)
+        {
+        if (shindig->sha1_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
+        }
+
+      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
+      }
+    }
+
+  return JAR_ERR_PNF;
+  }
+
+/* 
+ *  J A R _ c e r t _ a t t r i b u t e
+ *
+ *  Return the named certificate attribute from the
+ *  certificate specified by the given key.
+ *
+ */
+
+int PR_CALLBACK JAR_cert_attribute
+    (JAR *jar, jarCert attrib, long keylen, void *key, 
+        void **result, unsigned long *length)
+  {
+  int status = 0;
+  char *ret = NULL;
+
+  CERTCertificate *cert;
+
+  CERTCertDBHandle *certdb;
+
+  JAR_Digest *dig;
+  SECItem hexme;
+
+  *length = 0;
+
+  if (attrib == 0 || key == 0)
+    return JAR_ERR_GENERAL;
+
+  if (attrib == jarCertJavaHack)
+    {
+    cert = (CERTCertificate *) NULL;
+    certdb = JAR_open_database();
+
+    if (certdb)
+      {
+#ifdef USE_MOZ_THREAD
+      cert = jar_moz_nickname (certdb, (char*)key);
+#else
+      cert = CERT_FindCertByNickname (certdb, key);
+#endif
+
+      if (cert)
+        {
+        *length = cert->certKey.len;
+
+        *result = (void *) PORT_ZAlloc (*length);
+
+        if (*result)
+          PORT_Memcpy (*result, cert->certKey.data, *length);
+        else
+          return JAR_ERR_MEMORY;
+        }
+      JAR_close_database (certdb);
+      }
+
+    return cert ? 0 : JAR_ERR_GENERAL;
+    }
+
+  if (jar && jar->pkcs7 == 0)
+    return JAR_ERR_GENERAL;
+
+  cert = jar_get_certificate (jar, keylen, key, &status);
+
+  if (cert == NULL || status < 0)
+    return JAR_ERR_GENERAL;
+
+#define SEP " <br> "
+#define SEPLEN (PORT_Strlen(SEP))
+
+  switch (attrib)
+    {
+    case jarCertCompany:
+
+      ret = cert->subjectName;
+
+      /* This is pretty ugly looking but only used
+         here for this one purpose. */
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+	cer_cn  = CERT_GetCommonName (&cert->subject);
+        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->subject);
+        cer_l   = CERT_GetCountryName (&cert->subject);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+      break;
+
+    case jarCertCA:
+
+      ret = cert->issuerName;
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+        /* This is pretty ugly looking but only used
+           here for this one purpose. */
+
+	cer_cn  = CERT_GetCommonName (&cert->issuer);
+        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->issuer);
+        cer_l   = CERT_GetCountryName (&cert->issuer);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+
+      break;
+
+    case jarCertSerial:
+
+      ret = CERT_Hexify (&cert->serialNumber, 1);
+      break;
+
+    case jarCertExpires:
+
+      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
+      break;
+
+    case jarCertNickname:
+
+      ret = jar_choose_nickname (cert);
+      break;
+
+    case jarCertFinger:
+
+      dig = JAR_calculate_digest 
+         ((char *) cert->derCert.data, cert->derCert.len);
+
+      if (dig)
+        {
+        hexme.len = sizeof (dig->md5);
+        hexme.data = dig->md5;
+        ret = CERT_Hexify (&hexme, 1);
+        }
+      break;
+
+    default:
+
+      return JAR_ERR_GENERAL;
+    }
+
+  *result = ret ? PORT_Strdup (ret) : NULL;
+  *length = ret ? PORT_Strlen (ret) : 0;
+
+  return 0;
+  }
+
+/* 
+ *  j a r  _ c e r t _ e l e m e n t
+ *
+ *  Retrieve an element from an x400ish ascii
+ *  designator, in a hackish sort of way. The right
+ *  thing would probably be to sort AVATags.
+ *
+ */
+
+static char *jar_cert_element (char *name, char *tag, int occ)
+  {
+  if (name && tag)
+    {
+    char *s;
+    int found = 0;
+
+    while (occ--)
+      {
+      if (PORT_Strstr (name, tag))
+        {
+        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
+        found = 1;
+        }
+      else
+        {
+        name = PORT_Strstr (name, "=");
+        if (name == NULL) return NULL;
+        found = 0;
+        }
+      }
+
+    if (!found) return NULL;
+
+    /* must mangle only the copy */
+    name = PORT_Strdup (name);
+
+    /* advance to next equal */
+    for (s = name; *s && *s != '='; s++)
+      /* yip */ ;
+
+    /* back up to previous comma */
+    while (s > name && *s != ',') s--;
+
+    /* zap the whitespace and return */
+    *s = 0;
+    }
+
+  return name;
+  }
+
+/* 
+ *  j a r _ c h o o s e _ n i c k n a m e
+ *
+ *  Attempt to determine a suitable nickname for
+ *  a certificate with a computer-generated "tmpcertxxx" 
+ *  nickname. It needs to be something a user can
+ *  understand, so try a few things.
+ *
+ */
+
+static char *jar_choose_nickname (CERTCertificate *cert)
+  {
+  char *cert_cn;
+  char *cert_o;
+  char *cert_cn_o;
+
+  int cn_o_length;
+
+  /* is the existing name ok */
+
+  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
+    return PORT_Strdup (cert->nickname);
+
+  /* we have an ugly name here people */
+
+  /* Try the CN */
+  cert_cn = CERT_GetCommonName (&cert->subject);
+
+  if (cert_cn)
+    {
+    /* check for duplicate nickname */
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
+#else
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
+#endif
+      return cert_cn;
+
+    /* Try the CN plus O */
+    cert_o = CERT_GetOrgName (&cert->subject);
+
+    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
+    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
+
+    PR_snprintf (cert_cn_o, cn_o_length, 
+           "%s's %s Certificate", cert_cn, cert_o);
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
+#else
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
+#endif
+      return cert_cn;
+    }
+
+  /* If all that failed, use the ugly nickname */
+  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
+  }
+
+/*
+ *  J A R _ c e r t _ h t m l 
+ *
+ *  Return an HTML representation of the certificate
+ *  designated by the given fingerprint, in specified style.
+ *
+ *  JAR is optional, but supply it if you can in order
+ *  to optimize.
+ *
+ */
+
+char *JAR_cert_html
+    (JAR *jar, int style, long keylen, void *key, int *result)
+  {
+  char *html;
+  CERTCertificate *cert;
+
+  *result = -1;
+
+  if (style != 0)
+    return NULL;
+
+  cert = jar_get_certificate (jar, keylen, key, result);
+
+  if (cert == NULL || *result < 0)
+    return NULL;
+
+  *result = 0;
+
+  html = CERT_HTMLCertInfo (cert, /* show images */ PR_TRUE,
+		/*show issuer*/PR_TRUE);
+
+  if (html == NULL)
+    *result = -1;
+
+  return html;
+  }
+
+/*
+ *  J A R _ s t a s h _ c e r t
+ *
+ *  Stash the certificate pointed to by this
+ *  fingerprint, in persistent storage somewhere.
+ *
+ */
+
+extern int PR_CALLBACK JAR_stash_cert
+    (JAR *jar, long keylen, void *key)
+  {
+  int result = 0;
+
+  char *nickname;
+  CERTCertTrust trust;
+
+  CERTCertDBHandle *certdb;
+  CERTCertificate *cert, *newcert;
+
+  cert = jar_get_certificate (jar, keylen, key, &result);
+
+  if (result < 0)
+    return result;
+
+  if (cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  if ((certdb = JAR_open_database()) == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* Attempt to give a name to the newish certificate */
+  nickname = jar_choose_nickname (cert);
+
+#ifdef USE_MOZ_THREAD
+  newcert = jar_moz_nickname (certdb, nickname);
+#else
+  newcert = CERT_FindCertByNickname (certdb, nickname);
+#endif
+
+  if (newcert && newcert->isperm) 
+    {
+    /* already in permanant database */
+    return 0;
+    }
+
+  if (newcert) cert = newcert;
+
+  /* FIX, since FindCert returns a bogus dbhandle
+     set it ourselves */
+
+  cert->dbhandle = certdb;
+
+#if 0
+  nickname = cert->subjectName;
+  if (nickname)
+    {
+    /* Not checking for a conflict here. But this should
+       be a new cert or it would have been found earlier. */
+
+    nickname = jar_cert_element (nickname, "CN=", 1);
+
+    if (SEC_CertNicknameConflict (nickname, cert->dbhandle))
+      {
+      /* conflict */
+      nickname = PORT_Realloc (&nickname, PORT_Strlen (nickname) + 3);
+
+      /* Beyond one copy, there are probably serious problems 
+         so we will stop at two rather than counting.. */
+
+      PORT_Strcat (nickname, " #2");
+      }
+    }
+#endif
+
+  if (nickname != NULL)
+    {
+    PORT_Memset ((void *) &trust, 0, sizeof(trust));
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_perm (cert, nickname, &trust) != SECSuccess) 
+#else
+    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
+#endif
+      {
+      /* XXX might want to call PORT_GetError here */
+      result = JAR_ERR_GENERAL;
+      }
+    }
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  J A R _ f e t c h _ c e r t
+ *
+ *  Given an opaque identifier of a certificate, 
+ *  return the full certificate.
+ *
+ * The new function, which retrieves by key.
+ *
+ */
+
+void *JAR_fetch_cert (long length, void *key)
+  {
+  SECItem seckey;
+  CERTCertificate *cert = NULL;
+
+  CERTCertDBHandle *certdb;
+
+  certdb = JAR_open_database();
+
+  if (certdb)
+    {
+    seckey.len = length;
+    seckey.data = (unsigned char*)key;
+
+#ifdef USE_MOZ_THREAD
+    cert = jar_moz_certkey (certdb, &seckey);
+#else
+    cert = CERT_FindCertByKey (certdb, &seckey);
+#endif
+
+    JAR_close_database (certdb);
+    }
+
+  return (void *) cert;
+  }
+
+/*
+ *  j a r _ g e t _ m f _ d i g e s t
+ *
+ *  Retrieve a corresponding saved digest over a section
+ *  of the main manifest file. 
+ *
+ */
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *dig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  list = jar->manifest;
+
+  if (ZZ_ListEmpty (list))
+    return NULL;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeSect 
+          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
+      {
+      dig = (JAR_Digest *) it->data;
+      return dig;
+      }
+    }
+
+  return NULL;
+  }
+
+/*
+ *  j a r _ b a s e n a m e
+ *
+ *  Return the basename -- leading components of path stripped off,
+ *  extension ripped off -- of a path.
+ *
+ */
+
+static char *jar_basename (const char *path)
+  {
+  char *pith, *e, *basename, *ext;
+
+  if (path == NULL)
+    return PORT_Strdup ("");
+
+  pith = PORT_Strdup (path);
+
+  basename = pith;
+
+  while (1)
+    {
+    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
+      /* yip */ ;
+    if (*e) 
+      basename = ++e; 
+    else
+      break;
+    }
+
+  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
+    *ext = 0;
+
+  /* We already have the space allocated */
+  PORT_Strcpy (pith, basename);
+
+  return pith;
+  }
+
+/*
+ *  + + + + + + + + + + + + + + +
+ *
+ *  CRYPTO ROUTINES FOR JAR
+ *
+ *  The following functions are the cryptographic 
+ *  interface to PKCS7 for Jarnatures.
+ *
+ *  + + + + + + + + + + + + + + +
+ *
+ */
+
+/*
+ *  j a r _ c a t c h _ b y t e s
+ *
+ *  In the event signatures contain enveloped data, it will show up here.
+ *  But note that the lib/pkcs7 routines aren't ready for it.
+ *
+ */
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len)
+  {
+  /* Actually this should never be called, since there is
+     presumably no data in the signature itself. */
+  }
+
+/*
+ *  j a r _ v a l i d a t e _ p k c s 7
+ *
+ *  Validate (and decode, if necessary) a binary pkcs7
+ *  signature in DER format.
+ *
+ */
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length)
+  {
+  SECItem detdig;
+
+  SEC_PKCS7ContentInfo *cinfo;
+  SEC_PKCS7DecoderContext *dcx;
+
+  int status = 0;
+  char *errstring = NULL;
+
+  PORT_Assert( jar != NULL && signer != NULL );
+
+  if (jar == NULL || signer == NULL)
+    return JAR_ERR_ORDER;
+
+  signer->valid = JAR_ERR_SIG;
+
+  /* We need a context if we can get one */
+
+#ifdef MOZILLA_CLIENT_OLD
+  if (jar->mw == NULL) {
+    JAR_set_context (jar, NULL);
+  }
+#endif
+
+
+  dcx = SEC_PKCS7DecoderStart
+           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
+            NULL, NULL, NULL);
+
+  if (dcx != NULL) 
+    {
+    SEC_PKCS7DecoderUpdate (dcx, data, length);
+    cinfo = SEC_PKCS7DecoderFinish (dcx);
+    }
+
+  if (cinfo == NULL)
+    {
+    /* strange pkcs7 failure */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsEncrypted (cinfo))
+    {
+    /* content was encrypted, fail */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
+    {
+    /* content was not signed, fail */
+    return JAR_ERR_PK7;
+    }
+
+  PORT_SetError (0);
+
+  /* use SHA1 only */
+
+  detdig.len = SHA1_LENGTH;
+  detdig.data = signer->digest->sha1;
+
+#ifdef USE_MOZ_THREAD
+  if (jar_moz_verify
+        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
+		SECSuccess)
+#else
+  if (SEC_PKCS7VerifyDetachedSignature 
+        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
+		PR_TRUE)
+#endif
+    {
+    /* signature is valid */
+    signer->valid = 0;
+    jar_gather_signers (jar, signer, cinfo);
+    }
+  else
+    {
+    status = PORT_GetError();
+
+    PORT_Assert( status < 0 );
+    if (status >= 0) status = JAR_ERR_SIG;
+
+    jar->valid = status;
+    signer->valid = status;
+
+    errstring = JAR_get_error (status);
+    /*XP_TRACE(("JAR signature invalid (reason %d = %s)", status, errstring));*/
+    }
+
+  jar->pkcs7 = PR_TRUE;
+  signer->pkcs7 = PR_TRUE;
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  return status;
+  }
+
+/*
+ *  j a r _ g a t h e r _ s i g n e r s
+ *
+ *  Add the single signer of this signature to the
+ *  certificate linked list.
+ *
+ */
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
+  {
+  int result;
+
+  CERTCertificate *cert;
+  CERTCertDBHandle *certdb;
+
+  SEC_PKCS7SignedData *sdp;
+  SEC_PKCS7SignerInfo **pksigners, *pksigner;
+
+  sdp = cinfo->content.signedData;
+
+  if (sdp == NULL)
+    return JAR_ERR_PK7;
+
+  pksigners = sdp->signerInfos;
+
+  /* permit exactly one signer */
+
+  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
+    return JAR_ERR_PK7;
+
+  pksigner = *pksigners;
+  cert = pksigner->cert;
+
+  if (cert == NULL)
+    return JAR_ERR_PK7;
+
+  certdb = JAR_open_database();
+
+  if (certdb == NULL)
+    return JAR_ERR_GENERAL;
+
+  result = jar_add_cert (jar, signer, jarTypeSign, cert);
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  j a r _ o p e n _ d a t a b a s e
+ *
+ *  Open the certificate database,
+ *  for use by JAR functions.
+ *
+ */
+
+CERTCertDBHandle *JAR_open_database (void)
+  {
+  int keepcerts = 0;
+  CERTCertDBHandle *certdb;
+
+  /* local_certdb will only be used if calling from a command line tool */
+  static CERTCertDBHandle local_certdb;
+
+  certdb = CERT_GetDefaultCertDB();
+
+  if (certdb == NULL) 
+    {
+    if (CERT_OpenCertDBFilename (&local_certdb, NULL, (PRBool)!keepcerts) != 
+	                                                           SECSuccess)
+      {
+      return NULL;
+      }
+    certdb = &local_certdb;
+    }
+
+  return certdb;
+  }
+
+/*
+ *  j a r _ c l o s e _ d a t a b a s e
+ *
+ *  Close the certificate database.
+ *  For use by JAR functions.
+ *
+ */
+
+int JAR_close_database (CERTCertDBHandle *certdb)
+  {
+  CERTCertDBHandle *defaultdb;
+
+  /* This really just retrieves the handle, nothing more */
+  defaultdb = CERT_GetDefaultCertDB();
+
+  /* If there is no default db, it means we opened 
+     the permanent database for some reason */
+
+  if (defaultdb == NULL && certdb != NULL)
+    CERT_ClosePermCertDB (certdb);
+
+  return 0;
+  }
+
+/*
+ *  j a r _ g e t _ c e r t i f i c a t e
+ *
+ *  Return the certificate referenced
+ *  by a given fingerprint, or NULL if not found.
+ *  Error code is returned in result.
+ *
+ */
+
+static CERTCertificate *jar_get_certificate
+      (JAR *jar, long keylen, void *key, int *result)
+  {
+  int found = 0;
+
+  JAR_Item *it;
+  JAR_Cert *fing;
+
+  JAR_Context *ctx;
+
+  if (jar == NULL) 
+    {
+    void *cert;
+    cert = JAR_fetch_cert (keylen, key);
+    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
+    return (CERTCertificate *) cert;
+    }
+
+  ctx = JAR_find (jar, NULL, jarTypeSign);
+
+  while (JAR_find_next (ctx, &it) >= 0)
+    {
+    fing = (JAR_Cert *) it->data;
+
+    if (keylen != fing->length)
+      continue;
+
+    PORT_Assert( keylen < 0xFFFF );
+    if (!PORT_Memcmp (fing->key, key, keylen))
+      {
+      found = 1;
+      break;
+      }
+    }
+
+  JAR_find_end (ctx);
+
+  if (found == 0)
+    {
+    *result = JAR_ERR_GENERAL;
+    return NULL;
+    }
+
+  *result = 0;
+  return fing->cert;
+  }
+
+/*
+ *  j a r _ s i g n a l
+ *
+ *  Nonfatal errors come here to callback Java.
+ *  
+ */
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname)
+  {
+  char *errstring;
+
+  errstring = JAR_get_error (status);
+
+  if (jar->signal)
+    {
+    (*jar->signal) (status, jar, metafile, pathname, errstring);
+    return 0;
+    }
+
+  return status;
+  }
+
+/*
+ *  j a r _ a p p e n d
+ *
+ *  Tack on an element to one of a JAR's linked
+ *  lists, with rudimentary error handling.
+ *
+ */
+
+int jar_append (ZZList *list, int type, 
+        char *pathname, void *data, size_t size)
+  {
+  JAR_Item *it;
+  ZZLink *entity;
+
+  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+
+  if (it == NULL)
+    goto loser;
+
+  if (pathname)
+    {
+    it->pathname = PORT_Strdup (pathname);
+    if (it->pathname == NULL)
+      goto loser;
+    }
+
+  it->type = (jarType)type;
+  it->data = (unsigned char *) data;
+  it->size = size;
+
+  entity = ZZ_NewLink (it);
+
+  if (entity)
+    {
+    ZZ_AppendLink (list, entity);
+    return 0;
+    }
+
+loser:
+
+  if (it)
+    {
+    if (it->pathname) PORT_Free (it->pathname);
+    PORT_Free (it);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
+/* 
+ *  W I N 1 6   s t u f f
+ *
+ *  These functions possibly belong in xp_mem.c, they operate 
+ *  on huge string pointers for win16.
+ *
+ */
+
+#if defined(XP_WIN16)
+int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len)
+  {
+  while (len--) 
+    {
+    char c1, c2;
+
+    c1 = *buf++;
+    c2 = *key++;
+
+    if (c1 >= 'a' && c1 <= 'z') c1 -= ('a' - 'A');
+    if (c2 >= 'a' && c2 <= 'z') c2 -= ('a' - 'A');
+
+    if (c1 != c2) 
+      return (c1 < c2) ? -1 : 1;
+    }
+  return 0;
+  }
+
+size_t xp_HUGE_STRLEN (char ZHUGEP *s)
+  {
+  size_t len = 0L;
+  while (*s++) len++;
+  return len;
+  }
+
+char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from)
+  {
+  char *ret = to;
+
+  while (*from)
+    *to++ = *from++;
+  *to = 0;
+
+  return ret;
+  }
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
new file mode 100644
index 000000000..12489b889
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -0,0 +1,4866 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "prlock.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "sechash.h"
+#include "cert.h"
+#include "secerr.h"
+
+#define PAIRWISE_SECITEM_TYPE			siBuffer
+#define PAIRWISE_DIGEST_LENGTH			SHA1_LENGTH /* 160-bits */
+#define PAIRWISE_MESSAGE_LENGTH			20          /* 160-bits */
+
+/* forward static declarations. */
+static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
+	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
+	unsigned int numAttrs);
+
+
+/*
+ * strip leading zero's from key material
+ */
+void
+pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) {
+    char *ptr = (char *)attrib->pValue;
+    unsigned long len = attrib->ulValueLen;
+
+    while (len && (*ptr == 0)) {
+	len--;
+	ptr++;
+    }
+    attrib->pValue = ptr;
+    attrib->ulValueLen = len;
+}
+
+/*
+ * get a new session on a slot. If we run out of session, use the slot's
+ * 'exclusive' session. In this case owner becomes false.
+ */
+static CK_SESSION_HANDLE
+pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner)
+{
+    CK_SESSION_HANDLE session;
+    *owner =  PR_TRUE;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, 
+			slot,pk11_notify,&session) != CKR_OK) {
+	*owner = PR_FALSE;
+	session = slot->session;
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+    return session;
+}
+
+static void
+pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner)
+{
+    if (!owner) return;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    (void) PK11_GETTAB(slot)->C_CloseSession(session);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+}
+
+
+SECStatus
+PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+				CK_ATTRIBUTE *theTemplate, int count, 
+				PRBool token, CK_OBJECT_HANDLE *objectID)
+{
+	CK_SESSION_HANDLE rwsession;
+	CK_RV crv;
+	SECStatus rv = SECSuccess;
+
+	rwsession = session;
+	if (rwsession == CK_INVALID_SESSION) {
+	    if (token) {
+		rwsession =  PK11_GetRWSession(slot);
+	    } else { 
+		rwsession =  slot->session;
+		PK11_EnterSlotMonitor(slot);
+	    }
+	}
+	crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate,
+							count,objectID);
+	if(crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    rv = SECFailure;
+	}
+
+	if (session == CK_INVALID_SESSION) {
+	    if (token) {
+		PK11_RestoreROSession(slot, rwsession);
+	    } else {
+		PK11_ExitSlotMonitor(slot);
+	    }
+        }
+
+	return rv;
+}
+
+static void
+pk11_EnterKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+	PK11_EnterSlotMonitor(symKey->slot);
+}
+
+static void
+pk11_ExitKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+    	PK11_ExitSlotMonitor(symKey->slot);
+}
+
+
+static PK11SymKey *pk11SymKeyHead = NULL;
+static PK11SymKey *
+pk11_getKeyFromList(PK11SlotInfo *slot) {
+    PK11SymKey *symKey = NULL;
+
+
+    PK11_USE_THREADS(PR_Lock(slot->freeListLock);)
+    if (slot->freeSymKeysHead) {
+    	symKey = slot->freeSymKeysHead;
+	slot->freeSymKeysHead = symKey->next;
+	slot->keyCount--;
+    }
+    PK11_USE_THREADS(PR_Unlock(slot->freeListLock);)
+    if (symKey) {
+	symKey->next = NULL;
+	if (!symKey->sessionOwner)
+    	    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
+	return symKey;
+    }
+
+    symKey = (PK11SymKey *)PORT_ZAlloc(sizeof(PK11SymKey));
+    if (symKey == NULL) {
+	return NULL;
+    }
+    symKey->refLock = PR_NewLock();
+    if (symKey->refLock == NULL) {
+	PORT_Free(symKey);
+	return NULL;
+    }
+    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
+    symKey->next = NULL;
+    return symKey;
+}
+
+void
+PK11_CleanKeyList(PK11SlotInfo *slot)
+{
+    PK11SymKey *symKey = NULL;
+
+    while (slot->freeSymKeysHead) {
+    	symKey = slot->freeSymKeysHead;
+	slot->freeSymKeysHead = symKey->next;
+	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
+	PK11_USE_THREADS(PR_DestroyLock(symKey->refLock);)
+	PORT_Free(symKey);
+    };
+    return;
+}
+
+/*
+ * create a symetric key:
+ *      Slot is the slot to create the key in.
+ *      type is the mechainism type 
+ */
+PK11SymKey *
+PK11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, void *wincx)
+{
+
+    PK11SymKey *symKey = pk11_getKeyFromList(slot);
+
+
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->type = type;
+    symKey->data.data = NULL;
+    symKey->data.len = 0;
+    symKey->owner = PR_TRUE;
+    symKey->objectID = CK_INVALID_KEY;
+    symKey->slot = slot;
+    symKey->series = slot->series;
+    symKey->cx = wincx;
+    symKey->size = 0;
+    symKey->refCount = 1;
+    symKey->origin = PK11_OriginNULL;
+    symKey->origin = PK11_OriginNULL;
+    PK11_ReferenceSlot(slot);
+    return symKey;
+}
+
+/*
+ * destroy a symetric key
+ */
+void
+PK11_FreeSymKey(PK11SymKey *symKey)
+{
+    PRBool destroy = PR_FALSE;
+    PK11SlotInfo *slot;
+    PRBool freeit = PR_TRUE;
+
+    PK11_USE_THREADS(PR_Lock(symKey->refLock);)
+     if (symKey->refCount-- == 1) {
+	destroy= PR_TRUE;
+    }
+    PK11_USE_THREADS(PR_Unlock(symKey->refLock);)
+    if (destroy) {
+	if ((symKey->owner) && symKey->objectID != CK_INVALID_KEY) {
+	    pk11_EnterKeyMonitor(symKey);
+	    (void) PK11_GETTAB(symKey->slot)->
+		C_DestroyObject(symKey->session, symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	}
+	if (symKey->data.data) {
+	    PORT_Memset(symKey->data.data, 0, symKey->data.len);
+	    PORT_Free(symKey->data.data);
+	}
+        slot = symKey->slot;
+        PK11_USE_THREADS(PR_Lock(slot->freeListLock);)
+	if (slot->keyCount < slot->maxKeyCount) {
+	   symKey->next = slot->freeSymKeysHead;
+	   slot->freeSymKeysHead = symKey;
+	   slot->keyCount++;
+	   symKey->slot = NULL;
+	   freeit = PR_FALSE;
+        }
+	PK11_USE_THREADS(PR_Unlock(slot->freeListLock);)
+        if (freeit) {
+	    pk11_CloseSession(symKey->slot, symKey->session,
+							symKey->sessionOwner);
+	    PK11_USE_THREADS(PR_DestroyLock(symKey->refLock);)
+	    PORT_Free(symKey);
+	}
+	PK11_FreeSlot(slot);
+    }
+}
+
+PK11SymKey *
+PK11_ReferenceSymKey(PK11SymKey *symKey)
+{
+    PK11_USE_THREADS(PR_Lock(symKey->refLock);)
+    symKey->refCount++;
+    PK11_USE_THREADS(PR_Unlock(symKey->refLock);)
+    return symKey;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
+    CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
+{
+    PK11SymKey *symKey;
+
+    if (keyID == CK_INVALID_KEY) {
+	return NULL;
+    }
+
+    symKey = PK11_CreateSymKey(slot,type,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->objectID = keyID;
+    symKey->origin = origin;
+    symKey->owner = owner;
+
+    /* adopt the parent's session */
+    /* This is only used by SSL. What we really want here is a session
+     * structure with a ref count so  the session goes away only after all the
+     * keys do. */
+    if (owner && parent) {
+	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
+	symKey->sessionOwner = parent->sessionOwner;
+	symKey->session = parent->session;
+	parent->sessionOwner = PR_FALSE;
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
+						    int series, void *wincx)
+{
+    PK11SymKey *symKey = NULL;
+
+    if (slot->series != series) return NULL;
+    if (slot->refKeys[wrap] == CK_INVALID_KEY) return NULL;
+    if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism;
+
+    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
+		 slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx);
+    return symKey;
+}
+
+void
+PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
+{
+    /* save the handle and mechanism for the wrapping key */
+    /* mark the key and session as not owned by us to they don't get freed
+     * when the key goes way... that lets us reuse the key later */
+    slot->refKeys[wrap] = wrapKey->objectID;
+    wrapKey->owner = PR_FALSE;
+    wrapKey->sessionOwner = PR_FALSE;
+    slot->wrapMechanism = wrapKey->type;
+}
+
+CK_MECHANISM_TYPE
+PK11_GetMechanism(PK11SymKey *symKey)
+{
+    return symKey->type;
+}
+
+/*
+ * figure out if a key is still valid or if it is stale.
+ */
+PRBool
+PK11_VerifyKeyOK(PK11SymKey *key) {
+    if (!PK11_IsPresent(key->slot)) {
+	return PR_FALSE;
+    }
+    return (PRBool)(key->series == key->slot->series);
+}
+
+static PK11SymKey *
+pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+                  PK11Origin origin, CK_ATTRIBUTE *keyTemplate, 
+		  unsigned int templateCount, SECItem *key, void *wincx)
+{
+    PK11SymKey *    symKey;
+    SECStatus	    rv;
+
+    symKey = PK11_CreateSymKey(slot,type,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = key->len;
+
+    PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len);
+    templateCount++;
+
+    if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    symKey->origin = origin;
+
+    /* import the keys */
+    rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
+		 	templateCount, PR_FALSE, &symKey->objectID);
+    if ( rv != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key bits into an appropriate key object
+ */
+PK11SymKey *
+PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx)
+{
+    PK11SymKey *    symKey;
+    unsigned int    templateCount = 0;
+    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
+    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
+    CK_ATTRIBUTE    keyTemplate[5];
+    CK_ATTRIBUTE *  attrs 	= keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    /* PK11_SETATTRS(attrs, CKA_VALUE, key->data, key->len); attrs++; */
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(type,key->len);
+    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, keyTemplate, 
+    					templateCount, key, wincx);
+    return symKey;
+}
+
+/*
+ * import a public key into the desired slot
+ */
+CK_OBJECT_HANDLE
+PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, 
+								PRBool isToken)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[10];
+    CK_ATTRIBUTE *signedattr = NULL;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    int signedcount = 0;
+    int templateCount = 0;
+    SECStatus rv;
+
+    /* if we already have an object in the desired slot, use it */
+    if (!isToken && pubKey->pkcs11Slot == slot) {
+	return pubKey->pkcs11ID;
+    }
+
+    /* free the existing key */
+    if (pubKey->pkcs11Slot != NULL) {
+	PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
+	PK11_EnterSlotMonitor(oSlot);
+	(void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
+							pubKey->pkcs11ID);
+	PK11_ExitSlotMonitor(oSlot);
+	PK11_FreeSlot(oSlot);
+	pubKey->pkcs11Slot = NULL;
+    }
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+
+    /* now import the key */
+    {
+        switch (pubKey->keyType) {
+        case rsaKey:
+	    keyType = CKK_RSA;
+	    PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, 
+						sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
+					 pubKey->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     	pubKey->u.rsa.publicExponent.data,
+				 pubKey->u.rsa.publicExponent.len); attrs++;
+	    break;
+        case dsaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dsa.params.prime.data,
+				pubKey->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data,
+				pubKey->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dsa.params.base.data,
+					pubKey->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dsa.publicValue.data, 
+					pubKey->u.dsa.publicValue.len); attrs++;
+	    break;
+	case fortezzaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data,
+				pubKey->u.fortezza.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,
+				pubKey->u.fortezza.params.subPrime.data,
+				pubKey->u.fortezza.params.subPrime.len);attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.fortezza.params.base.data,
+				pubKey->u.fortezza.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, 
+				pubKey->u.fortezza.DSSKey.len); attrs++;
+            break;
+        case dhKey:
+	    keyType = CKK_DH;
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dh.prime.data,
+				pubKey->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dh.base.data,
+					pubKey->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dh.publicValue.data, 
+					pubKey->u.dh.publicValue.len); attrs++;
+	    break;
+	/* what about fortezza??? */
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return CK_INVALID_KEY;
+	}
+
+	templateCount = attrs - theTemplate;
+	signedcount = attrs - signedattr;
+	PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
+	for (attrs=signedattr; signedcount; attrs++, signedcount--) {
+		pk11_SignedToUnsigned(attrs);
+	} 
+        rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
+				 	templateCount, isToken, &objectID);
+	if ( rv != SECSuccess) {
+	    return CK_INVALID_KEY;
+	}
+    }
+
+    pubKey->pkcs11ID = objectID;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+
+    return objectID;
+}
+
+
+/*
+ * return the slot associated with a symetric key
+ */
+PK11SlotInfo *
+PK11_GetSlotFromKey(PK11SymKey *symKey)
+{
+    return PK11_ReferenceSlot(symKey->slot);
+}
+
+PK11SymKey *
+PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
+								void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
+    int tsize = 0;
+    CK_OBJECT_HANDLE key_id;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (keyID) {
+        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+    if (key_id == CK_INVALID_KEY) {
+	return NULL;
+    }
+    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
+		 				PR_FALSE, wincx);
+}
+
+void *
+PK11_GetWindow(PK11SymKey *key)
+{
+   return key->cx;
+}
+    
+
+/*
+ * extract a symetric key value. NOTE: if the key is sensitive, we will
+ * not be able to do this operation. This function is used to move
+ * keys from one token to another */
+SECStatus
+PK11_ExtractKeyValue(PK11SymKey *symKey)
+{
+
+    if (symKey->data.data != NULL) return SECSuccess;
+
+    if (symKey->slot == NULL) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    return PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL,
+				&symKey->data);
+}
+
+SECItem *
+PK11_GetKeyData(PK11SymKey *symKey)
+{
+    return &symKey->data;
+}
+
+/*
+ * take an attribute and copy it into a secitem, converting unsigned to signed.
+ */
+static CK_RV
+pk11_Attr2SecItem(PRArenaPool *arena, CK_ATTRIBUTE *attr, SECItem *item) {
+    unsigned char *dataPtr;
+
+    item->len = attr->ulValueLen;
+    dataPtr = (unsigned char*) PORT_ArenaAlloc(arena, item->len+1);
+    if ( dataPtr == NULL) {
+	return CKR_HOST_MEMORY;
+    } 
+    *dataPtr = 0;
+    item->data = dataPtr+1;
+    PORT_Memcpy(item->data,attr->pValue,item->len);
+    if (item->data[0] & 0x80) {
+	item->data = item->data-1;
+	item->len++;
+    }
+    return CKR_OK;
+}
+/*
+ * extract a public key from a slot and id
+ */
+SECKEYPublicKey *
+PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id)
+{
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    PRArenaPool *arena;
+    PRArenaPool *tmp_arena;
+    SECKEYPublicKey *pubKey;
+    int templateCount = 0;
+    CK_KEY_TYPE pk11KeyType;
+    CK_RV crv;
+    CK_ATTRIBUTE template[8];
+    CK_ATTRIBUTE *attrs= template;
+    CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value;
+
+    /* if we didn't know the key type, get it */
+    if (keyType== nullKey) {
+
+        pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE);
+	if (pk11KeyType ==  CK_UNAVAILABLE_INFORMATION) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return NULL;
+	}
+	switch (pk11KeyType) {
+	case CKK_RSA:
+	    keyType = rsaKey;
+	    break;
+	case CKK_DSA:
+	    keyType = dsaKey;
+	    break;
+	case CKK_DH:
+	    keyType = dhKey;
+	    break;
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return NULL;
+	}
+    }
+
+
+    /* now we need to create space for the public key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+    tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (tmp_arena == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+
+    pubKey = (SECKEYPublicKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubKey == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	PORT_FreeArena (tmp_arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubKey->arena = arena;
+    pubKey->keyType = keyType;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    pubKey->pkcs11ID = id;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, 
+						sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, 
+						sizeof(pk11KeyType) ); attrs++;
+    switch (pubKey->keyType) {
+    case rsaKey:
+	modulus = attrs;
+	PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; 
+	exponent = attrs;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; 
+
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent);
+	if (crv != CKR_OK) break;
+	break;
+    case dsaKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	subprime = attrs;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value = attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case dhKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value =attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case fortezzaKey:
+    case nullKey:
+    default:
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	break;
+    }
+
+    PORT_FreeArena(tmp_arena,PR_FALSE);
+
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return pubKey;
+}
+
+/*
+ * Build a Private Key structure from raw PKCS #11 information.
+ */
+SECKEYPrivateKey *
+PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
+			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
+{
+    PRArenaPool *arena;
+    SECKEYPrivateKey *privKey;
+
+    /* don't know? look it up */
+    if (keyType == nullKey) {
+	CK_KEY_TYPE pk11Type = CKK_RSA;
+
+	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
+	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
+	switch (pk11Type) {
+	case CKK_RSA: keyType = rsaKey; break;
+	case CKK_DSA: keyType = dsaKey; break;
+	case CKK_DH: keyType = dhKey; break;
+	case CKK_KEA: keyType = fortezzaKey; break;
+	default:
+		break;
+	}
+    }
+
+    /* now we need to create space for the private key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+
+    privKey = (SECKEYPrivateKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
+    if (privKey == NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+
+    privKey->arena = arena;
+    privKey->keyType = keyType;
+    privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    privKey->pkcs11ID = privID;
+    privKey->pkcs11IsTemp = isTemp;
+    privKey->wincx = wincx;
+
+    return privKey;
+}
+
+/* return the keylength if possible.  '0' if not */
+unsigned int
+PK11_GetKeyLength(PK11SymKey *key)
+{
+   if (key->size != 0) return key->size ;
+   if (key->data.data == NULL) {
+	PK11_ExtractKeyValue(key);
+   }
+   /* key is probably secret. Look up it's type and length */
+   /*  this is new PKCS #11 version 2.0 functionality. */
+   if (key->size == 0) {
+	CK_ULONG keyLength;
+
+	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
+	/* doesn't have a length field, check the known PKCS #11 key types,
+	 * which don't have this field */
+	if (keyLength == CK_UNAVAILABLE_INFORMATION) {
+	    CK_KEY_TYPE keyType;
+	    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
+	    switch (keyType) {
+	    case CKK_DES: key->size = 8; break;
+	    case CKK_DES2: key->size = 16; break;
+	    case CKK_DES3: key->size = 24; break;
+	    case CKK_SKIPJACK: key->size = 10; break;
+	    case CKK_BATON: key->size = 20; break;
+	    case CKK_JUNIPER: key->size = 20; break;
+	    case CKK_GENERIC_SECRET:
+		if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
+		    key->size=48;
+		}
+		break;
+	    default: break;
+	    }
+	} else {
+	    key->size = (unsigned int)keyLength;
+	}
+    }
+	
+   return key->size;
+}
+
+/* return the strength of a key. This is different from length in that
+ * 1) it returns the size in bits, and 2) it returns only the secret portions
+ * of the key minus any checksums or parity.
+ */
+unsigned int
+PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) 
+{
+     int size=0;
+     CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */
+     SECItem *param = NULL; /* RC2 only */
+     CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */
+     unsigned int effectiveBits = 0; /* RC2 ONLY */
+
+     switch (PK11_GetKeyType(key->type,0)) {
+     case CKK_CDMF:
+	return 40;
+     case CKK_DES:
+	return 56;
+     case CKK_DES3:
+     case CKK_DES2:
+	size = PK11_GetKeyLength(key);
+	if (size == 16) {
+	   /* double des */
+	   return 112; /* 16*7 */
+	}
+	return 168;
+    /*
+     * RC2 has is different than other ciphers in that it allows the user
+     * to deprecating keysize while still requiring all the bits for the 
+     * original key. The info
+     * on what the effective key strength is in the parameter for the key.
+     * In S/MIME this parameter is stored in the DER encoded algid. In Our 
+     * other uses of RC2, effectiveBits == keyBits, so this code functions
+     * correctly without an algid.
+     */
+    case CKK_RC2:
+	/* if no algid was provided, fall through to default */
+        if (!algid) {
+	    break; 
+	}
+	/* verify that the algid is for RC2 */
+	mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
+	if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
+	    break;
+	}
+
+	/* now get effective bits from the algorithm ID. */
+	param = PK11_ParamFromAlgid(algid);
+	/* if we couldn't get memory just use key length */
+	if (param == NULL) {
+	    break;
+	}
+
+	rc2_params = (CK_RC2_CBC_PARAMS *) param->data;
+	/* paranoia... shouldn't happen */
+	PORT_Assert(param->data != NULL);
+	if (param->data == NULL) {
+	    SECITEM_FreeItem(param,PR_TRUE);
+	    break;
+	}
+	effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
+	SECITEM_FreeItem(param,PR_TRUE);
+	param = NULL; rc2_params=NULL; /* paranoia */
+
+	/* we have effective bits, is and allocated memory is free, now
+	 * we need to return the smaller of effective bits and keysize */
+	size = PK11_GetKeyLength(key);
+	if ((unsigned int)size*8 > effectiveBits) {
+	    return effectiveBits;
+	}
+
+	return size*8; /* the actual key is smaller, the strength can't be
+			* greater than the actual key size */
+	
+    default:
+	break;
+    }
+    return PK11_GetKeyLength(key) * 8;
+}
+
+/* Make a Key type to an appropriate signing/verification mechanism */
+static CK_MECHANISM_TYPE
+pk11_mapSignKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    case fortezzaKey:
+    case dsaKey:
+	return CKM_DSA;
+    case dhKey:
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+static CK_MECHANISM_TYPE
+pk11_mapWrapKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    /* Add fortezza?? */
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+/*
+ * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually
+ * set up a signature to get the signaure length.
+ */
+static int
+pk11_backupGetSignLength(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+    unsigned char h_data[20]  = { 0 };
+    unsigned char buf[20]; /* obviously to small */
+    CK_ULONG smallLen = sizeof(buf);
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    len = 0;
+    crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data),
+					NULL, &len);
+    /* now call C_Sign with too small a buffer to clear the session state */
+    (void) PK11_GETTAB(slot)->
+			C_Sign(session,h_data,sizeof(h_data),buf,&smallLen);
+	
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    return len;
+}
+/*
+ * get the length of a signature object based on the key
+ */
+int
+PK11_SignatureLen(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    int val;
+
+    switch (key->keyType) {
+    case rsaKey:
+	val = PK11_GetPrivateModulusLen(key);
+	if (val == -1) {
+	    break;			/* failed */
+	}
+	return (unsigned long) val;
+	
+    case fortezzaKey:
+    case dsaKey:
+	return 40;
+
+    default:
+	break;
+    }
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return 0;
+}
+
+PK11SlotInfo *
+PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    slot = PK11_ReferenceSlot(slot);
+    return slot;
+}
+
+/*
+ * Get the modulus length for raw parsing
+ */
+int
+PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
+{
+    CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_RV crv;
+    int length;
+
+    switch (key->keyType) {
+    case rsaKey:
+	crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return -1;
+	}
+	length = theTemplate.ulValueLen;
+	if ( *(unsigned char *)theTemplate.pValue == 0) {
+	    length--;
+	}
+	if (theTemplate.pValue != NULL)
+	    PORT_Free(theTemplate.pValue);
+	return (int) length;
+	
+    case fortezzaKey:
+    case dsaKey:
+    case dhKey:
+    default:
+	break;
+    }
+    if (theTemplate.pValue != NULL)
+	PORT_Free(theTemplate.pValue);
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return -1;
+}
+
+/*
+ * copy a key (or any other object) on a token
+ */
+CK_OBJECT_HANDLE
+PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject)
+{
+    CK_OBJECT_HANDLE destObject;
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0,
+				&destObject);
+    PK11_ExitSlotMonitor(slot);
+    if (crv == CKR_OK) return destObject;
+    PORT_SetError( PK11_MapError(crv) );
+    return CK_INVALID_KEY;
+}
+
+
+PK11SymKey *
+pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+
+/*
+ * The next two utilities are to deal with the fact that a given operation
+ * may be a multi-slot affair. This creates a new key object that is copied
+ * into the new slot.
+ */
+PK11SymKey *
+pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
+{
+    SECStatus rv;
+    PK11SymKey *newKey = NULL;
+
+    /* Extract the raw key data if possible */
+    if (symKey->data.data == NULL) {
+	rv = PK11_ExtractKeyValue(symKey);
+	/* KEY is sensitive, we're try key exchanging it. */
+	if (rv != SECSuccess) {
+	    return pk11_KeyExchange(slot, type, operation, symKey);
+	}
+    }
+    newKey = PK11_ImportSymKey(slot, type, symKey->origin, operation, 
+						&symKey->data, symKey->cx);
+    if (newKey == NULL) newKey = pk11_KeyExchange(slot,type,operation,symKey);
+    return newKey;
+}
+
+/*
+ * Make sure the slot we are in the correct slot for the operation
+ */
+static PK11SymKey *
+pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type,
+						CK_ATTRIBUTE_TYPE operation)
+{
+    PK11SlotInfo *slot = symKey->slot;
+    PK11SymKey *newKey = NULL;
+
+    if ((slot== NULL) || !PK11_DoesMechanism(slot,type)) {
+	slot = PK11_GetBestSlot(type,symKey->cx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+	newKey = pk11_CopyToSlot(slot, type, operation, symKey);
+	PK11_FreeSlot(slot);
+    }
+    return newKey;
+}
+
+/*
+ * Use the token to Generate a key. keySize must be 'zero' for fixed key
+ * length algorithms. NOTE: this means we can never generate a DES2 key
+ * from this interface!
+ */
+PK11SymKey *
+PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+    int keySize, SECItem *keyid, PRBool isToken, void *wincx)
+{
+    PK11SymKey *symKey;
+    CK_ATTRIBUTE genTemplate[4];
+    CK_ATTRIBUTE *attrs = genTemplate;
+    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
+    CK_SESSION_HANDLE session;
+    CK_MECHANISM mechanism;
+    CK_RV crv;
+    PRBool weird = PR_FALSE;   /* hack for fortezza */
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+
+    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
+	weird = PR_TRUE;
+	keySize = 0;
+    }
+
+    /* TNH: Isn't this redundant, since "handleKey" will set defaults? */
+    PK11_SETATTRS(attrs, (!weird) 
+	? CKA_ENCRYPT : CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL)); attrs++;
+    
+    if (keySize != 0) {
+        CK_ULONG key_size = keySize; /* Convert to PK11 type */
+
+        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
+							attrs++;
+    }
+
+    /* Include key id value if provided */
+    if (keyid) {
+        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
+    }
+
+    if (isToken) {
+        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue));  attrs++;
+    }
+
+    count = attrs - genTemplate;
+    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
+
+    /* find a slot to generate the key into */
+    /* Only do slot management if this is not a token key */
+    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) {
+        PK11SlotInfo *bestSlot;
+
+        bestSlot = PK11_GetBestSlot(type,wincx); /* TNH: references the slot? */
+        if (bestSlot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+        symKey = PK11_CreateSymKey(bestSlot,type,wincx);
+
+        PK11_FreeSlot(bestSlot);
+    } else {
+	symKey = PK11_CreateSymKey(slot, type, wincx);
+    }
+    if (symKey == NULL) return NULL;
+
+    symKey->size = keySize;
+    symKey->origin = (!weird) ? PK11_OriginGenerated : PK11_OriginFortezzaHack;
+
+    /* Initialize the Key Gen Mechanism */
+    mechanism.mechanism = PK11_GetKeyGen(type);
+    if (mechanism.mechanism == CKM_FAKE_RANDOM) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* Set the parameters for the key gen if provided */
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    }
+
+    /* Get session and perform locking */
+    if (isToken) {
+        session = PK11_GetRWSession(symKey->slot);  /* Should always be original slot */
+    } else {
+        session = symKey->session;
+        pk11_EnterKeyMonitor(symKey);
+    }
+
+    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
+			 &mechanism, genTemplate, count, &symKey->objectID);
+
+    /* Release lock and session */
+    if (isToken) {
+        PK11_RestoreROSession(symKey->slot, session);
+    } else {
+        pk11_ExitKeyMonitor(symKey);
+    }
+
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return symKey;
+}
+
+PK11SymKey *
+PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+						int keySize, void *wincx)
+{
+    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
+}
+
+/* --- */
+PK11SymKey *
+PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx)
+{
+  return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx);
+}
+
+/*
+ * PKCS #11 pairwise consistency check utilized to validate key pair.
+ */
+static SECStatus
+pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *privKey, CK_MECHANISM *mech, void* wincx )
+{
+    /* Variables used for Encrypt/Decrypt functions. */
+    unsigned char *known_message = (unsigned char *)"Known Crypto Message";
+    CK_BBOOL isEncryptable = CK_FALSE;
+    CK_BBOOL canSignVerify = CK_FALSE;
+    CK_BBOOL isDerivable = CK_FALSE;
+    unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
+    CK_ULONG bytes_decrypted;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE id;
+    unsigned char *ciphertext;
+    unsigned char *text_compared;
+    CK_ULONG max_bytes_encrypted;
+    CK_ULONG bytes_encrypted;
+    CK_ULONG bytes_compared;
+    CK_RV crv;
+
+    /* Variables used for Signature/Verification functions. */
+    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
+    SECItem  signature;
+    SECItem  digest;    /* always uses SHA-1 digest */
+    int signature_length;
+    SECStatus rv;
+
+    /**************************************************/
+    /* Pairwise Consistency Check of Encrypt/Decrypt. */
+    /**************************************************/
+
+    isEncryptable = PK11_HasAttributeSet( privKey->pkcs11Slot, 
+					privKey->pkcs11ID, CKA_DECRYPT );
+
+    /* If the encryption attribute is set; attempt to encrypt */
+    /* with the public key and decrypt with the private key.  */
+    if( isEncryptable ) {
+	/* Find a module to encrypt against */
+	slot = PK11_GetBestSlot(pk11_mapWrapKeyType(privKey->keyType),wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return SECFailure;
+	}
+
+	id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
+	if (id == CK_INVALID_KEY) {
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+        /* Compute max bytes encrypted from modulus length of private key. */
+	max_bytes_encrypted = PK11_GetPrivateModulusLen( privKey );
+
+
+	/* Prepare for encryption using the public key. */
+        PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB( slot )->C_EncryptInit( slot->session,
+						  mech, id );
+        if( crv != CKR_OK ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( PK11_MapError( crv ) );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Allocate space for ciphertext. */
+	ciphertext = (unsigned char *) PORT_Alloc( max_bytes_encrypted );
+	if( ciphertext == NULL ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( SEC_ERROR_NO_MEMORY );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Initialize bytes encrypted to max bytes encrypted. */
+	bytes_encrypted = max_bytes_encrypted;
+
+	/* Encrypt using the public key. */
+	crv = PK11_GETTAB( slot )->C_Encrypt( slot->session,
+					      known_message,
+					      PAIRWISE_MESSAGE_LENGTH,
+					      ciphertext,
+					      &bytes_encrypted );
+	PK11_ExitSlotMonitor(slot);
+	PK11_FreeSlot(slot);
+	if( crv != CKR_OK ) {
+	    PORT_SetError( PK11_MapError( crv ) );
+	    PORT_Free( ciphertext );
+	    return SECFailure;
+	}
+
+	/* Always use the smaller of these two values . . . */
+	bytes_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
+			 ? PAIRWISE_MESSAGE_LENGTH
+			 : bytes_encrypted;
+
+	/* If there was a failure, the plaintext */
+	/* goes at the end, therefore . . .      */
+	text_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
+			? (ciphertext + bytes_encrypted -
+			  PAIRWISE_MESSAGE_LENGTH )
+			: ciphertext;
+
+	/* Check to ensure that ciphertext does */
+	/* NOT EQUAL known input message text   */
+	/* per FIPS PUB 140-1 directive.        */
+	if( ( bytes_encrypted != max_bytes_encrypted ) ||
+	    ( PORT_Memcmp( text_compared, known_message,
+			   bytes_compared ) == 0 ) ) {
+	    /* Set error to Invalid PRIVATE Key. */
+	    PORT_SetError( SEC_ERROR_INVALID_KEY );
+	    PORT_Free( ciphertext );
+	    return SECFailure;
+	}
+
+	slot = privKey->pkcs11Slot;
+	/* Prepare for decryption using the private key. */
+        PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB( slot )->C_DecryptInit( slot->session,
+						  mech,
+						  privKey->pkcs11ID );
+	if( crv != CKR_OK ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( PK11_MapError(crv) );
+	    PORT_Free( ciphertext );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Initialize bytes decrypted to be the */
+	/* expected PAIRWISE_MESSAGE_LENGTH.    */
+	bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
+
+	/* Decrypt using the private key.   */
+	/* NOTE:  No need to reset the      */
+	/*        value of bytes_encrypted. */
+	crv = PK11_GETTAB( slot )->C_Decrypt( slot->session,
+					      ciphertext,
+					      bytes_encrypted,
+					      plaintext,
+					      &bytes_decrypted );
+	PK11_ExitSlotMonitor(slot);
+
+	/* Finished with ciphertext; free it. */
+	PORT_Free( ciphertext );
+
+	if( crv != CKR_OK ) {
+	   PORT_SetError( PK11_MapError(crv) );
+	    PK11_FreeSlot(slot);
+	   return SECFailure;
+	}
+
+	/* Check to ensure that the output plaintext */
+	/* does EQUAL known input message text.      */
+	if( ( bytes_decrypted != PAIRWISE_MESSAGE_LENGTH ) ||
+	    ( PORT_Memcmp( plaintext, known_message,
+			   PAIRWISE_MESSAGE_LENGTH ) != 0 ) ) {
+	    /* Set error to Bad PUBLIC Key. */
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+      }
+
+    /**********************************************/
+    /* Pairwise Consistency Check of Sign/Verify. */
+    /**********************************************/
+
+    canSignVerify = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
+					  privKey->pkcs11ID, CKA_VERIFY);
+    
+    if (canSignVerify)
+      {
+	/* Initialize signature and digest data. */
+	signature.data = NULL;
+	digest.data = NULL;
+	
+	/* Determine length of signature. */
+	signature_length = PK11_SignatureLen( privKey );
+	if( signature_length == 0 )
+	  goto failure;
+	
+	/* Allocate space for signature data. */
+	signature.data = (unsigned char *) PORT_Alloc( signature_length );
+	if( signature.data == NULL ) {
+	  PORT_SetError( SEC_ERROR_NO_MEMORY );
+	  goto failure;
+	}
+	
+	/* Allocate space for known digest data. */
+	digest.data = (unsigned char *) PORT_Alloc( PAIRWISE_DIGEST_LENGTH );
+	if( digest.data == NULL ) {
+	  PORT_SetError( SEC_ERROR_NO_MEMORY );
+	  goto failure;
+	}
+	
+	/* "Fill" signature type and length. */
+	signature.type = PAIRWISE_SECITEM_TYPE;
+	signature.len  = signature_length;
+	
+	/* "Fill" digest with known SHA-1 digest parameters. */
+	digest.type = PAIRWISE_SECITEM_TYPE;
+	PORT_Memcpy( digest.data, known_digest, PAIRWISE_DIGEST_LENGTH );
+	digest.len = PAIRWISE_DIGEST_LENGTH;
+	
+	/* Sign the known hash using the private key. */
+	rv = PK11_Sign( privKey, &signature, &digest );
+	if( rv != SECSuccess )
+	  goto failure;
+	
+	/* Verify the known hash using the public key. */
+	rv = PK11_Verify( pubKey, &signature, &digest, wincx );
+    if( rv != SECSuccess )
+      goto failure;
+	
+	/* Free signature and digest data. */
+	PORT_Free( signature.data );
+	PORT_Free( digest.data );
+      }
+
+
+
+    /**********************************************/
+    /* Pairwise Consistency Check for Derivation  */
+    /**********************************************/
+
+    isDerivable = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
+					  privKey->pkcs11ID, CKA_DERIVE);
+    
+    if (isDerivable)
+      {   
+	/* 
+	 * We are not doing consistency check for Diffie-Hellman Key - 
+	 * otherwise it would be here
+	 */
+
+      }
+
+    return SECSuccess;
+
+failure:
+    if( signature.data != NULL )
+	PORT_Free( signature.data );
+    if( digest.data != NULL )
+	PORT_Free( digest.data );
+
+    return SECFailure;
+}
+
+
+
+/*
+ * take a private key in one pkcs11 module and load it into another:
+ *  NOTE: the source private key is a rare animal... it can't be sensitive.
+ *  This is used to do a key gen using one pkcs11 module and storing the
+ *  result into another.
+ */
+SECKEYPrivateKey *
+pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
+{
+    CK_ATTRIBUTE privTemplate[] = {
+        /* class must be first */
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_KEY_TYPE, NULL, 0 },
+	/* these three must be next */
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_SENSITIVE, NULL, 0 },
+	{ CKA_ID, NULL, 0 },
+#ifdef notdef
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+#endif
+	/* RSA */
+	{ CKA_MODULUS, NULL, 0 },
+	{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+	{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	{ CKA_PRIME_1, NULL, 0 },
+	{ CKA_PRIME_2, NULL, 0 },
+	{ CKA_EXPONENT_1, NULL, 0 },
+	{ CKA_EXPONENT_2, NULL, 0 },
+	{ CKA_COEFFICIENT, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attrs = NULL, *ap;
+    int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    PRArenaPool *arena;
+    CK_OBJECT_HANDLE objectID;
+    int i, count = 0;
+    int extra_count = 0;
+    CK_RV crv;
+    SECStatus rv;
+
+    for (i=0; i < templateSize; i++) {
+	if (privTemplate[i].type == CKA_MODULUS) {
+	    attrs= &privTemplate[i];
+	    count = i;
+	    break;
+	}
+    }
+    PORT_Assert(attrs != NULL);
+    if (attrs == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+
+    ap = attrs;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+	count = templateSize;
+	extra_count = templateSize - (attrs - privTemplate);
+	break;
+    case dsaKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_SUBPRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+    case dhKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+     default:
+	count = 0;
+	extra_count = 0;
+	break;
+     }
+
+     if (count == 0) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+     }
+
+     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+     if (arena == NULL) return NULL;
+     /*
+      * read out the old attributes.
+      */
+     crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
+		privTemplate,count);
+     if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+     }
+
+     /* Reset sensitive, token, and private */
+     *(CK_BBOOL *)(privTemplate[2].pValue) = token ? CK_TRUE : CK_FALSE;
+     *(CK_BBOOL *)(privTemplate[3].pValue) = token ? CK_TRUE : CK_FALSE;
+     *(CK_BBOOL *)(privTemplate[4].pValue) = sensitive ? CK_TRUE : CK_FALSE;
+
+     /* Not everyone can handle zero padded key values, give
+      * them the raw data as unsigned */
+     for (ap=attrs; extra_count; ap++, extra_count--) {
+	pk11_SignedToUnsigned(ap);
+     }
+
+     /* now Store the puppies */
+     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, 
+						count, token, &objectID);
+     PORT_FreeArena(arena, PR_TRUE);
+     if (rv != SECSuccess) {
+	return NULL;
+     }
+
+     /* try loading the public key as a token object */
+     if (pubKey) {
+	PK11_ImportPublicKey(slot, pubKey, PR_TRUE);
+	if (pubKey->pkcs11Slot) {
+	    PK11_FreeSlot(pubKey->pkcs11Slot);
+	    pubKey->pkcs11Slot = NULL;
+	    pubKey->pkcs11ID = CK_INVALID_KEY;
+	}
+     }
+
+     /* build new key structure */
+     return PK11_MakePrivKey(slot, privKey->keyType, (PRBool)!token, 
+						objectID, privKey->wincx);
+}
+
+
+/*
+ * Use the token to Generate a key. keySize must be 'zero' for fixed key
+ * length algorithms. NOTE: this means we can never generate a DES2 key
+ * from this interface!
+ */
+SECKEYPrivateKey *
+PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+   void *param, SECKEYPublicKey **pubKey, PRBool token, 
+					PRBool sensitive, void *wincx)
+{
+    /* we have to use these native types because when we call PKCS 11 modules
+     * we have to make sure that we are using the correct sizes for all the
+     * parameters. */
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_ULONG modulusBits;
+    CK_BYTE publicExponent[4];
+    CK_ATTRIBUTE privTemplate[] = {
+	{ CKA_SENSITIVE, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_PRIVATE,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_UNWRAP,  NULL, 0},
+	{ CKA_SIGN,  NULL, 0},
+	{ CKA_DECRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE rsaPubTemplate[] = {
+	{ CKA_MODULUS_BITS, NULL, 0},
+	{ CKA_PUBLIC_EXPONENT, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE dsaPubTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE dhPubTemplate[] = {
+      { CKA_PRIME, NULL, 0 }, 
+      { CKA_BASE, NULL, 0 }, 
+      { CKA_TOKEN,  NULL, 0},
+      { CKA_DERIVE,  NULL, 0},
+      { CKA_WRAP,  NULL, 0},
+      { CKA_VERIFY,  NULL, 0},
+      { CKA_VERIFY_RECOVER,  NULL, 0},
+      { CKA_ENCRYPT,  NULL, 0},
+    };
+
+    int dsaPubCount = sizeof(dsaPubTemplate)/sizeof(dsaPubTemplate[0]);
+    /*CK_ULONG key_size = 0;*/
+    CK_ATTRIBUTE *pubTemplate;
+    int privCount = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    int rsaPubCount = sizeof(rsaPubTemplate)/sizeof(rsaPubTemplate[0]);
+    int dhPubCount = sizeof(dhPubTemplate)/sizeof(dhPubTemplate[0]);
+    int pubCount = 0;
+    PK11RSAGenParams *rsaParams;
+    PQGParams *dsaParams;
+    DHParams * dhParams;
+    CK_MECHANISM mechanism;
+    CK_MECHANISM test_mech;
+    CK_SESSION_HANDLE session_handle;
+    CK_RV crv;
+    CK_OBJECT_HANDLE privID,pubID;
+    SECKEYPrivateKey *privKey;
+    KeyType keyType;
+    PRBool restore;
+    int peCount,i;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *privattrs;
+    SECItem *pubKeyIndex;
+    CK_ATTRIBUTE setTemplate;
+    SECStatus rv;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_OBJECT_CLASS keyClass;
+    SECItem *cka_id;
+    PRBool haslock = PR_FALSE;
+    PRBool pubIsToken = PR_FALSE;
+
+    PORT_Assert(slot != NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE);
+	return NULL;
+    }
+
+    /* if our slot really doesn't do this mechanism, Generate the key
+     * in our internal token and write it out */
+    if (!PK11_DoesMechanism(slot,type)) {
+	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	/* don't loop forever looking for a slot */
+	if (slot == int_slot) {
+	    PK11_FreeSlot(int_slot);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+
+	/* if there isn't a suitable slot, then we can't do the keygen */
+	if (int_slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+	/* generate the temporary key to load */
+	privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, 
+							PR_FALSE, wincx);
+	PK11_FreeSlot(int_slot);
+
+	/* if successful, load the temp key into the new token */
+	if (privKey != NULL) {
+	    SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
+						*pubKey,token,sensitive);
+	    SECKEY_DestroyPrivateKey(privKey);
+	    if (newPrivKey == NULL) {
+		SECKEY_DestroyPublicKey(*pubKey);
+		*pubKey = NULL;
+	    }
+	    return newPrivKey;
+	}
+	return NULL;
+   }
+
+
+    mechanism.mechanism = type;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    test_mech.pParameter = NULL;
+    test_mech.ulParameterLen = 0;
+
+    /* set up the private key template */
+    privattrs = privTemplate;
+    PK11_SETATTRS(privattrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse, 
+					sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+
+    /* set up the mechanism specific info */
+    switch (type) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	rsaParams = (PK11RSAGenParams *)param;
+	modulusBits = rsaParams->keySizeInBits;
+	peCount = 0;
+
+	/* convert pe to a PKCS #11 string */
+	for (i=0; i < 4; i++) {
+	    if (peCount || (rsaParams->pe & 
+				((unsigned long)0xff000000L >> (i*8)))) {
+		publicExponent[peCount] = 
+				(CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff);
+		peCount++;
+	    }
+	}
+	PORT_Assert(peCount != 0);
+	attrs = rsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_MODULUS_BITS, 
+				&modulusBits, sizeof(modulusBits)); attrs++;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+				publicExponent, peCount);attrs++;
+	pubTemplate = rsaPubTemplate;
+	pubCount = rsaPubCount;
+	keyType = rsaKey;
+	test_mech.mechanism = CKM_RSA_PKCS;
+	break;
+    case CKM_DSA_KEY_PAIR_GEN:
+	dsaParams = (PQGParams *)param;
+	attrs = dsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
+				dsaParams->prime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
+					dsaParams->subPrime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
+						dsaParams->base.len); attrs++;
+	pubTemplate = dsaPubTemplate;
+	pubCount = dsaPubCount;
+	keyType = dsaKey;
+	test_mech.mechanism = CKM_DSA;
+	break;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+        dhParams = (DHParams *)param;
+        attrs = dhPubTemplate;
+        PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
+                      dhParams->prime.len);   attrs++;
+        PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
+                      dhParams->base.len);    attrs++;
+        pubTemplate = dhPubTemplate;
+	pubCount = dhPubCount;
+        keyType = dhKey;
+        test_mech.mechanism = CKM_DH_PKCS_DERIVE;
+	break;
+    default:
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return NULL;
+    }
+
+    /* now query the slot to find out how "good" a key we can generate */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+				test_mech.mechanism,&mechanism_info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
+	/* must be old module... guess what it should be... */
+	switch (test_mech.mechanism) {
+	case CKM_RSA_PKCS:
+		mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | 
+			CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);;
+		break;
+	case CKM_DSA:
+		mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
+		break;
+	case CKM_DH_PKCS_DERIVE:
+		mechanism_info.flags = CKF_DERIVE;
+		break;
+	default:
+	       break;
+	}
+    }
+    /* set the public key objects */
+    PK11_SETATTRS(attrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_WRAP, 
+		mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY, 
+		mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, 
+		mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_ENCRYPT, 
+		mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(privattrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_UNWRAP, 
+		mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_SIGN, 
+		mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_DECRYPT, 
+		mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+
+    if (token) {
+	session_handle = PK11_GetRWSession(slot);
+	haslock = PK11_RWSessionHasLock(slot,session_handle);
+	restore = PR_TRUE;
+    } else {
+        PK11_EnterSlotMonitor(slot); /* gross!! */
+	session_handle = slot->session;
+	restore = PR_FALSE;
+	haslock = PR_TRUE;
+    }
+
+    crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
+	pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID);
+
+
+    if (crv != CKR_OK) {
+	if (restore)  {
+	    PK11_RestoreROSession(slot,session_handle);
+	} else PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    /* This locking code is dangerous and needs to be more thought
+     * out... the real problem is that we're holding the mutex open this long
+     */
+    if (haslock) { PK11_ExitSlotMonitor(slot); }
+
+    /* swap around the ID's for older PKCS #11 modules */
+    keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS);
+    if (keyClass != CKO_PUBLIC_KEY) {
+	CK_OBJECT_HANDLE tmp = pubID;
+	pubID = privID;
+	privID = tmp;
+    }
+
+    *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
+    if (*pubKey == NULL) {
+	if (restore)  {
+	    /* we may have to restore the mutex so it get's exited properly
+	     * in RestoreROSession */
+            if (haslock)  PK11_EnterSlotMonitor(slot); 
+	    PK11_RestoreROSession(slot,session_handle);
+	} 
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	return NULL;
+    }
+
+    /* set the ID to the public key so we can find it again */
+    pubKeyIndex =  NULL;
+    switch (type) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.rsa.modulus;
+      break;
+    case CKM_DSA_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.dsa.publicValue;
+      break;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.dh.publicValue;
+      break;      
+    }
+    PORT_Assert(pubKeyIndex != NULL);
+
+    cka_id = PK11_MakeIDFromPubKey(pubKeyIndex);
+    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
+
+    PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
+
+    if (haslock) { PK11_EnterSlotMonitor(slot); }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
+		&setTemplate, 1);
+   
+    if (crv == CKR_OK && pubIsToken) {
+    	crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
+		&setTemplate, 1);
+    }
+
+
+    if (restore) {
+	PK11_RestoreROSession(slot,session_handle);
+    } else {
+	PK11_ExitSlotMonitor(slot);
+    }
+    SECITEM_FreeItem(cka_id,PR_TRUE);
+
+
+    if (crv != CKR_OK) {
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	PORT_SetError( PK11_MapError(crv) );
+	*pubKey = NULL;
+	return NULL;
+    }
+
+    privKey = PK11_MakePrivKey(slot,keyType,(PRBool)!token,privID,wincx);
+    if (privKey == NULL) {
+	SECKEY_DestroyPublicKey(*pubKey);
+	PK11_DestroyObject(slot,privID);
+	*pubKey = NULL;
+	return NULL;  /* due to pairwise consistency check */
+    }
+
+    /* Perform PKCS #11 pairwise consistency check. */
+    rv = pk11_PairwiseConsistencyCheck( *pubKey, privKey, &test_mech, wincx );
+    if( rv != SECSuccess ) {
+	SECKEY_DestroyPublicKey( *pubKey );
+	SECKEY_DestroyPrivateKey( privKey );
+	*pubKey = NULL;
+	privKey = NULL;
+	return NULL;
+    }
+
+    return privKey;
+}
+
+/*
+ * This function does a straight public key wrap (which only RSA can do).
+ * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
+ * Diffie-Hellman Ciphers. */
+SECStatus
+PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+				PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len =  wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    CK_OBJECT_HANDLE id;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT);
+    if (newKey != NULL) {
+	symKey = newKey;
+    }
+
+    if ((symKey == NULL) || (symKey->slot == NULL)) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    slot = symKey->slot;
+    mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism,
+		id,symKey->objectID,wrappedKey->data,&len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (newKey) {
+	PK11_FreeSymKey(newKey);
+    }
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    wrappedKey->len = len;
+    return SECSuccess;
+} 
+
+/*
+ * this little function uses the Encrypt function to wrap a key, just in
+ * case we have problems with the wrap implementation for a token.
+ */
+static SECStatus
+pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
+			 SECItem *inKey, SECItem *outKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len;
+    SECItem *data;
+    CK_MECHANISM mech;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    slot = wrappingKey->slot;
+    /* use NULL IV's for wrapping */
+    mech.mechanism = type;
+    if (param) {
+	mech.pParameter = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+	mech.pParameter = NULL;
+	mech.ulParameterLen = 0;
+    }
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,
+							wrappingKey->objectID);
+    if (crv != CKR_OK) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param));
+    if (data == NULL) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    len = outKey->len;
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len,
+							   outKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    SECITEM_FreeItem(data,PR_TRUE);
+    outKey->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * This function does a symetric based wrap.
+ */
+SECStatus
+PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, 
+	PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len = wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    SECItem *param_save = NULL;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    /* Force symKey and wrappingKey into the same slot */
+    if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) {
+	/* first try copying the wrapping Key to the symKey slot */
+	if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) {
+	    newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey);
+	}
+	/* Nope, try it the other way */
+	if (newKey == NULL) {
+	    if (wrappingKey->slot) {
+	        newKey = pk11_CopyToSlot(wrappingKey->slot,
+					symKey->type, CKA_ENCRYPT, symKey);
+	    }
+	    /* just not playing... one last thing, can we get symKey's data?
+	     * If it's possible, we it should already be in the 
+	     * symKey->data.data pointer because pk11_CopyToSlot would have
+	     * tried to put it there. */
+	    if (newKey == NULL) {
+		/* Can't get symKey's data: Game Over */
+		if (symKey->data.data == NULL) {
+		    PORT_SetError( SEC_ERROR_NO_MODULE );
+		    return SECFailure;
+		}
+		if (param == NULL) {
+		    param_save = param = PK11_ParamFromIV(type,NULL);
+		}
+		rv = pk11_HandWrap(wrappingKey, param, type,
+						&symKey->data,wrappedKey);
+		if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+		return rv;
+	    }
+	    /* we successfully moved the sym Key */
+	    symKey = newKey;
+	} else {
+	    /* we successfully moved the wrapping Key */
+	    wrappingKey = newKey;
+	}
+    }
+
+    /* at this point both keys are in the same token */
+    slot = wrappingKey->slot;
+    mechanism.mechanism = type;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) {
+    	param_save = param = PK11_ParamFromIV(type,NULL);
+    }
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    len = wrappedKey->len;
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
+		 wrappingKey->objectID, symKey->objectID, 
+						wrappedKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    rv = SECSuccess;
+    if (crv != CKR_OK) {
+	/* can't wrap it? try hand wrapping it... */
+	do {
+	    if (symKey->data.data == NULL) {
+		rv = PK11_ExtractKeyValue(symKey);
+		if (rv != SECSuccess) break;
+	    }
+	    rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
+								 wrappedKey);
+	} while (PR_FALSE);
+    } else {
+        wrappedKey->len = len;
+    }
+    if (newKey) PK11_FreeSymKey(newKey);
+    if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+    return rv;
+} 
+
+/*
+ * This Generates a new key based on a symetricKey
+ */
+PK11SymKey *
+PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, 
+             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+	     int keySize)
+{
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, NULL, 0);
+}
+
+#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
+
+/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
+#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+
+static unsigned int
+pk11_FlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue)
+{
+
+    const static CK_ATTRIBUTE_TYPE attrTypes[12] = {
+	CKA_ENCRYPT,      CKA_DECRYPT, 0 /* DIGEST */,     CKA_SIGN,
+	CKA_SIGN_RECOVER, CKA_VERIFY,  CKA_VERIFY_RECOVER, 0 /* GEN */,
+	0 /* GEN PAIR */, CKA_WRAP,    CKA_UNWRAP,         CKA_DERIVE 
+    };
+
+    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
+          CK_ATTRIBUTE      *attr	= attrs;
+          CK_FLAGS          test	= CKF_ENCRYPT;
+
+
+    PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS));
+    flags &= CKF_KEY_OPERATION_FLAGS;
+
+    for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) {
+    	if (test & flags) {
+	    flags ^= test;
+	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
+	    ++attr;
+	}
+    }
+    return (attr - attrs);
+}
+
+PK11SymKey *
+PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, keyTemplate, templateCount);
+}
+
+static PRBool
+pk11_FindAttrInTemplate(CK_ATTRIBUTE *    attr, 
+                        unsigned int      numAttrs,
+			CK_ATTRIBUTE_TYPE target)
+{
+    for (; numAttrs > 0; ++attr, --numAttrs) {
+    	if (attr->type == target)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+static PK11SymKey *
+pk11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
+{
+    PK11SlotInfo *  slot	= baseKey->slot;
+    PK11SymKey *    symKey;
+    PK11SymKey *    newBaseKey	= NULL;
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism; 
+    CK_RV           crv;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
+
+    /* move the key to a slot that can do the function */
+    if (!PK11_DoesMechanism(slot,derive)) {
+	/* get a new base key & slot */
+	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
+
+	if (newSlot == NULL) return NULL;
+
+        newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, 
+				     baseKey);
+	PK11_FreeSlot(newSlot);
+	if (newBaseKey == NULL) return NULL;	
+	baseKey = newBaseKey;
+	slot = baseKey->slot;
+    }
+
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,baseKey->cx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = keySize;
+
+    mechanism.mechanism = derive;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+    symKey->origin=PK11_OriginDerive;
+
+    pk11_EnterKeyMonitor(symKey);
+    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+	     baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
+    pk11_ExitKeyMonitor(symKey);
+
+    if (newBaseKey) PK11_FreeSymKey(newBaseKey);
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+    return symKey;
+}
+
+/* build a public KEA key from the public value */
+SECKEYPublicKey *
+PK11_MakeKEAPubKey(unsigned char *keyData,int length)
+{
+    SECKEYPublicKey *pubk;
+    SECItem pkData;
+    SECStatus rv;
+    PRArenaPool *arena;
+
+    pkData.data = keyData;
+    pkData.len = length;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	return NULL;
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubk->arena = arena;
+    pubk->pkcs11Slot = 0;
+    pubk->pkcs11ID = CK_INVALID_KEY;
+    pubk->keyType = fortezzaKey;
+    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
+    if (rv != SECSuccess) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+    return pubk;
+}
+	
+
+/*
+ * This Generates a wrapping key based on a privateKey, publicKey, and two
+ * random numbers. For Mail usage RandomB should be NULL. In the Sender's
+ * case RandomA is generate, outherwize it is passed.
+ */
+static unsigned char *rb_email = NULL;
+
+PK11SymKey *
+PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+   PRBool isSender, SECItem *randomA, SECItem *randomB, 
+    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+			CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_MECHANISM mechanism;
+    PK11SymKey *symKey;
+    CK_RV crv;
+
+
+    if (rb_email == NULL) {
+	rb_email = PORT_ZAlloc(128);
+	if (rb_email == NULL) {
+	    return NULL;
+	}
+	rb_email[127] = 1;
+    }
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->origin = PK11_OriginDerive;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+    case nullKey:
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	break;
+    /* case keaKey: */
+    case dsaKey:
+    case fortezzaKey:
+	{
+	    CK_KEA_DERIVE_PARAMS param;
+	    param.isSender = (CK_BBOOL) isSender;
+	    param.ulRandomLen = randomA->len;
+	    param.pRandomA = randomA->data;
+	    param.pRandomB = rb_email;
+	    if (randomB)
+		 param.pRandomB = randomB->data;
+	    if (pubKey->keyType == fortezzaKey) {
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    } else {
+		/* assert type == keaKey */
+		/* XXX change to match key key types */
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    }
+
+	    mechanism.mechanism = derive;
+	    mechanism.pParameter = &param;
+	    mechanism.ulParameterLen = sizeof(param);
+
+	    /* get a new symKey structure */
+	    pk11_EnterKeyMonitor(symKey);
+	    crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+			privKey->pkcs11ID, NULL, 0, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+    case dhKey:
+	{
+	    CK_BBOOL cktrue = CK_TRUE;
+	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+	    CK_ULONG key_size = 0;
+	    CK_ATTRIBUTE keyTemplate[4];
+	    int templateCount;
+	    CK_ATTRIBUTE *attrs = keyTemplate;
+
+	    if (pubKey->keyType != dhKey) {
+		PORT_SetError(SEC_ERROR_BAD_KEY);
+		break;
+	    }
+
+	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
+	    attrs++;
+	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+	    attrs++;
+	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
+	    attrs++;
+	    templateCount =  attrs - keyTemplate;
+	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+	    keyType = PK11_GetKeyType(target,keySize);
+	    key_size = keySize;
+	    symKey->size = keySize;
+	    if (key_size == 0) templateCount--;
+
+	    mechanism.mechanism = derive;
+
+	    /* we can undefine these when we define diffie-helman keys */
+	    mechanism.pParameter = pubKey->u.dh.publicValue.data; 
+	    mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;
+		
+	    pk11_EnterKeyMonitor(symKey);
+	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+	     privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+   }
+
+   PK11_FreeSymKey(symKey);
+   return NULL;
+}
+
+/*
+ * this little function uses the Decrypt function to unwrap a key, just in
+ * case we are having problem with unwrap. NOTE: The key size may
+ * not be preserved properly for some algorithms!
+ */
+static PK11SymKey *
+pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, 
+		CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, 
+		int key_size, void * wincx)
+{
+    CK_ULONG len;
+    SECItem outKey;
+    PK11SymKey *symKey;
+    CK_RV crv;
+    PRBool owner = PR_TRUE;
+    PRBool bool = PR_TRUE;
+    CK_SESSION_HANDLE session;
+
+    /* remove any VALUE_LEN parameters */
+    if (keyTemplate[templateCount-1].type == CKA_VALUE_LEN) {
+        templateCount--;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    outKey.data = (unsigned char*)PORT_Alloc(inKey->len);
+    if (outKey.data == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MEMORY );
+	return NULL;
+    }
+    len = inKey->len;
+
+    /* use NULL IV's for wrapping */
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len,
+							   outKey.data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    outKey.len = (key_size == 0) ? len : key_size;
+
+    if (PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    keyTemplate, templateCount, 
+					    &outKey, wincx);
+    } else {
+	slot = PK11_GetBestSlot(target,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    PORT_Free(outKey.data);
+	    return NULL;
+	}
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    keyTemplate, templateCount, 
+					    &outKey, wincx);
+	PK11_FreeSlot(slot);
+    }
+    PORT_Free(outKey.data);
+    return symKey;
+}
+
+/*
+ * The wrap/unwrap function is pretty much the same for private and
+ * public keys. It's just getting the Object ID and slot right. This is
+ * the combined unwrap function.
+ */
+static PK11SymKey *
+pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+    CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
+    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
+    void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
+{
+    PK11SymKey *    symKey;
+    SECItem *       param_free	= NULL;
+    CK_BBOOL        ckfalse	= CK_FALSE; 
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism;
+    CK_RV           crv;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    }
+
+    /*
+     * must be last in case we need to use this template to import the key
+     */
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+
+    /* find out if we can do wrap directly. Because the RSA case if *very*
+     * common, cache the results for it. */
+    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
+	mechanism_info.flags = slot->RSAInfoFlags;
+    } else {
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType,
+				 &mechanism_info);
+    	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    	if (crv != CKR_OK) {
+	     mechanism_info.flags = 0;
+    	}
+        if (wrapType == CKM_RSA_PKCS) {
+	    slot->RSAInfoFlags = mechanism_info.flags;
+	    slot->hasRSAInfo = PR_TRUE;
+	}
+    }
+
+    /* initialize the mechanism structure */
+    mechanism.mechanism = wrapType;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) param = param_free = PK11_ParamFromIV(wrapType,NULL);
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if ((mechanism_info.flags & CKF_DECRYPT)  
+				&& !PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+	                         target, keyTemplate, templateCount, keySize, 
+				 wincx);
+	if (symKey) {
+	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	    return symKey;
+	}
+	/* fall through, maybe they incorrectly set CKF_DECRYPT */
+    }
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,wincx);
+    if (symKey == NULL) {
+	if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	return NULL;
+    }
+
+    symKey->size = keySize;
+    symKey->origin = PK11_OriginUnwrap;
+
+    pk11_EnterKeyMonitor(symKey);
+    crv = PK11_GETTAB(slot)->C_UnwrapKey(symKey->session,&mechanism,wrappingKey,
+		wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, 
+							  &symKey->objectID);
+    pk11_ExitKeyMonitor(symKey);
+    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+    if (crv != CKR_OK) {
+	/* try hand Unwrapping */
+	PK11_FreeSymKey(symKey);
+	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+	                         target, keyTemplate, templateCount, keySize, 
+				 wincx);
+   }
+
+   return symKey;
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize)
+{
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, NULL, 0);
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, keyTemplate, templateCount);
+}
+
+
+/* unwrap a symetric key with a private key. */
+PK11SymKey *
+PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
+	  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
+{
+    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+
+    PK11_HandlePasswordCheck(wrappingKey->pkcs11Slot,wrappingKey->wincx);
+    
+    return pk11_AnyUnwrapKey(wrappingKey->pkcs11Slot, wrappingKey->pkcs11ID,
+	wrapType, NULL, wrappedKey, target, operation, keySize, 
+	wrappingKey->wincx, NULL, 0);
+}
+
+/*
+ * Recover the Signed data. We need this because our old verify can't
+ * figure out which hash algorithm to use until we decryptted this.
+ */
+SECStatus
+PK11_VerifyRecover(SECKEYPublicKey *key,
+			 	SECItem *sig, SECItem *dsig, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(mech.mechanism,wincx);
+	if (slot == NULL) {
+	    	PORT_SetError( SEC_ERROR_NO_MODULE );
+		return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    len = dsig->len;
+    crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data,
+						sig->len, dsig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    dsig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * verify a signature from its hash.
+ */
+SECStatus
+PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    PK11SlotInfo *tmpslot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+        if (mech.mechanism == CKM_DSA) {
+            slot = PK11_GetInternalSlot(); /* use internal slot for 
+                                              DSA verify  */
+        } else { 
+	    slot = PK11_GetBestSlot(mech.mechanism,wincx);
+        };
+       
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+            
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Verify(session,hash->data,
+					hash->len, sig->data, sig->len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * sign a hash. The algorithm is determined by the key.
+ */
+SECStatus
+PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    PK11_HandlePasswordCheck(slot, key->wincx);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    len = sig->len;
+    crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
+					hash->len, sig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    sig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
+ * RSA keys, or they'll fail. We do the checks up front. If anyone comes
+ * up with a meaning for rawdecrypt for any other public key operation,
+ * then we need to move this check into some of PK11_PubDecrypt callers,
+ * (namely SSL 2.0).
+ */
+SECStatus
+PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
+	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
+							 unsigned encLen)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    CK_ULONG out = maxLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    /* Why do we do a PK11_handle check here? for simple
+     * decryption? .. because the user may have asked for 'ask always'
+     * and this is a private key operation. In practice, thought, it's mute
+     * since only servers wind up using this function */
+    PK11_HandlePasswordCheck(slot, key->wincx);
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen,
+								data, &out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    *outLen = out;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* The encrypt version of the above function */
+SECStatus
+PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+		unsigned char *data, unsigned dataLen, void *wincx)
+{
+    PK11SlotInfo *slot;
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    CK_OBJECT_HANDLE id;
+    CK_ULONG out = dataLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+
+    slot = PK11_GetBestSlot(mech.mechanism, wincx);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+	
+/**********************************************************************
+ *
+ *                   Now Deal with Crypto Contexts
+ *
+ **********************************************************************/
+
+/*
+ * the monitors...
+ */
+void
+PK11_EnterContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PR_Lock(cx->sessionLock);
+    } else {
+	PK11_EnterSlotMonitor(cx->slot);
+    }
+}
+
+void
+PK11_ExitContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PR_Unlock(cx->sessionLock);
+    } else {
+	PK11_ExitSlotMonitor(cx->slot);
+    }
+}
+
+/*
+ * Free up a Cipher Context
+ */
+void
+PK11_DestroyContext(PK11Context *context, PRBool freeit)
+{
+    pk11_CloseSession(context->slot,context->session,context->ownSession);
+    /* initialize the critical fields of the context */
+    if (context->savedData != NULL ) PORT_Free(context->savedData);
+    if (context->key) PK11_FreeSymKey(context->key);
+    if (context->param) SECITEM_FreeItem(context->param, PR_TRUE);
+    if (context->sessionLock) PR_DestroyLock(context->sessionLock);
+    PK11_FreeSlot(context->slot);
+    if (freeit) PORT_Free(context);
+}
+
+/*
+ * save the current context. Allocate Space if necessary.
+ */
+static void *
+pk11_saveContextHelper(PK11Context *context, void *space, 
+	unsigned long *savedLength, PRBool staticBuffer, PRBool recurse)
+{
+    CK_ULONG length;
+    CK_RV crv;
+
+    if (staticBuffer) PORT_Assert(space != NULL);
+
+    if (space == NULL) {
+	crv =PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
+				NULL,&length);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return NULL;
+	}
+	space = PORT_Alloc(length);
+	if (space == NULL) return NULL;
+	*savedLength = length;
+    }
+    crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
+					(CK_BYTE_PTR)space,savedLength);
+    if (!staticBuffer && !recurse && (crv == CKR_BUFFER_TOO_SMALL)) {
+	if (!staticBuffer) PORT_Free(space);
+	return pk11_saveContextHelper(context, NULL, 
+					savedLength, PR_FALSE, PR_TRUE);
+    }
+    if (crv != CKR_OK) {
+	if (!staticBuffer) PORT_Free(space);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    return space;
+}
+
+void *
+pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
+{
+	return pk11_saveContextHelper(context, space, 
+					savedLength, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * restore the current context
+ */
+SECStatus
+pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength)
+{
+    CK_RV crv;
+    CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID:
+			CK_INVALID_KEY;
+
+    PORT_Assert(space != NULL);
+    if (space == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session,
+        (CK_BYTE_PTR)space, savedLength, objectID, 0);
+    if (crv != CKR_OK) {
+       PORT_SetError( PK11_MapError(crv));
+       return SECFailure;
+   }
+   return SECSuccess;
+}
+
+SECStatus pk11_Finalize(PK11Context *context);
+
+/*
+ * Context initialization. Used by all flavors of CreateContext
+ */
+static SECStatus 
+pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
+{
+    CK_RV crv;
+    PK11SymKey *symKey = context->key;
+    SECStatus rv = SECSuccess;
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DECRYPT:
+	if (context->fortezzaHack) {
+	    CK_ULONG count = 0;;
+	    /* generate the IV for fortezza */
+	    crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	    if (crv != CKR_OK) break;
+	    PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				NULL, &count);
+	}
+	crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session,
+				mech_info);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    return rv;
+}
+
+
+/*
+ * Common Helper Function do come up with a new context.
+ */
+static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
+     PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey,
+							     SECItem *param)
+{
+    CK_MECHANISM mech_info;
+    PK11Context *context;
+    SECStatus rv;
+	
+    context = (PK11Context *) PORT_Alloc(sizeof(PK11Context));
+    if (context == NULL) {
+	return NULL;
+    }
+
+    /* now deal with the fortezza hack... the fortezza hack is an attempt
+     * to get around the issue of the card not allowing you to do a FORTEZZA
+     * LoadIV/Encrypt, which was added because such a combination could be
+     * use to circumvent the key escrow system. Unfortunately SSL needs to
+     * do this kind of operation, so in SSL we do a loadIV (to verify it),
+     * Then GenerateIV, and through away the first 8 bytes on either side
+     * of the connection.*/
+    context->fortezzaHack = PR_FALSE;
+    if (type == CKM_SKIPJACK_CBC64) {
+	if (symKey->origin == PK11_OriginFortezzaHack) {
+	    context->fortezzaHack = PR_TRUE;
+	}
+    }
+
+    /* initialize the critical fields of the context */
+    context->operation = operation;
+    context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
+    context->slot = PK11_ReferenceSlot(slot);
+    context->session = pk11_GetNewSession(slot,&context->ownSession);
+    context->cx = symKey ? symKey->cx : NULL;
+    /* get our session */
+    context->savedData = NULL;
+
+    /* save the parameters so that some digesting stuff can do multiple
+     * begins on a single context */
+    context->type = type;
+    context->param = SECITEM_DupItem(param);
+    context->init = PR_FALSE;
+    context->sessionLock = PR_NewLock();
+    if ((context->param == NULL) || (context->sessionLock == NULL)) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    mech_info.mechanism = type;
+    mech_info.pParameter = param->data;
+    mech_info.ulParameterLen = param->len;
+    PK11_EnterContextMonitor(context);
+    rv = pk11_context_init(context,&mech_info);
+    PK11_ExitContextMonitor(context);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+    context->init = PR_TRUE;
+    return context;
+}
+
+
+/*
+ * put together the various PK11_Create_Context calls used by different
+ * parts of libsec.
+ */
+PK11Context *
+PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
+						SECItem *param, void *wincx)
+{
+    PK11SymKey *symKey;
+    PK11Context *context;
+
+    /* first get a slot */
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(type,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    /* now import the key */
+    symKey = PK11_ImportSymKey(slot, type, origin, operation,  key, wincx);
+    if (symKey == NULL) return NULL;
+
+    context = PK11_CreateContextBySymKey(type, operation, symKey, param);
+
+    PK11_FreeSymKey(symKey);
+    PK11_FreeSlot(slot);
+
+    return context;
+}
+
+
+/*
+ * Create a context from a key. We really should make sure we aren't using
+ * the same key in multiple session!
+ */
+PK11Context *
+PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation,
+			PK11SymKey *symKey, SECItem *param)
+{
+    PK11SymKey *newKey;
+    PK11Context *context;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,operation);
+    if (newKey == NULL) {
+	PK11_ReferenceSymKey(symKey);
+    } else {
+	symKey = newKey;
+    }
+
+
+    /* Context Adopts the symKey.... */
+    context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
+							     param);
+    PK11_FreeSymKey(symKey);
+    return context;
+}
+
+/*
+ * Digest contexts don't need keys, but the do need to find a slot.
+ * Macing should use PK11_CreateContextBySymKey.
+ */
+PK11Context *
+PK11_CreateDigestContext(SECOidTag hashAlg)
+{
+    /* digesting has to work without authentication to the slot */
+    CK_MECHANISM_TYPE type;
+    PK11SlotInfo *slot;
+    PK11Context *context;
+    SECItem param;
+
+    type = PK11_AlgtagToMechanism(hashAlg);
+    slot = PK11_GetBestSlot(type, NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* maybe should really be PK11_GenerateNewParam?? */
+    param.data = NULL;
+    param.len = 0;
+
+    context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, &param);
+    PK11_FreeSlot(slot);
+    return context;
+}
+
+/*
+ * create a new context which is the clone of the state of old context.
+ */
+PK11Context * PK11_CloneContext(PK11Context *old)
+{
+     PK11Context *newcx;
+     PRBool needFree = PR_FALSE;
+     SECStatus rv = SECSuccess;
+     void *data;
+     unsigned long len;
+
+     newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
+						old->key, old->param);
+     if (newcx == NULL) return NULL;
+
+     /* now clone the save state. First we need to find the save state
+      * of the old session. If the old context owns it's session,
+      * the state needs to be saved, otherwise the state is in saveData. */
+     if (old->ownSession) {
+        PK11_EnterContextMonitor(old);
+	data=pk11_saveContext(old,NULL,&len);
+        PK11_ExitContextMonitor(old);
+	needFree = PR_TRUE;
+     } else {
+	data = old->savedData;
+	len = old->savedLength;
+     }
+
+     if (data == NULL) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+     }
+
+     /* now copy that state into our new context. Again we have different
+      * work if the new context owns it's own session. If it does, we
+      * restore the state gathered above. If it doesn't, we copy the
+      * saveData pointer... */
+     if (newcx->ownSession) {
+        PK11_EnterContextMonitor(newcx);
+	rv = pk11_restoreContext(newcx,data,len);
+        PK11_ExitContextMonitor(newcx);
+     } else {
+	PORT_Assert(newcx->savedData != NULL);
+	if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(newcx->savedData,data,len);
+	    newcx->savedLength = len;
+	}
+    }
+
+    if (needFree) PORT_Free(data);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+    }
+    return newcx;
+}
+
+/*
+ * save the current context state into a variable. Required to make FORTEZZA
+ * work.
+ */
+SECStatus
+PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength)
+{
+    unsigned char * data = NULL;
+    CK_ULONG length = saveLength;
+
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	data = (unsigned char*)pk11_saveContextHelper(cx,save,&length,
+							PR_FALSE,PR_FALSE);
+        PK11_ExitContextMonitor(cx);
+	if (data) *len = length;
+    } else if (saveLength >= cx->savedLength) {
+	data = (unsigned char*)cx->savedData;
+	if (cx->savedData) {
+	    PORT_Memcpy(save,cx->savedData,cx->savedLength);
+	}
+	*len = cx->savedLength;
+    }
+    return (data != NULL) ? SECSuccess : SECFailure;
+}
+
+/*
+ * restore the context state into a new running context. Also required for
+ * FORTEZZA .
+ */
+SECStatus
+PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len)
+{
+    SECStatus rv = SECSuccess;
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	pk11_Finalize(cx);
+	rv = pk11_restoreContext(cx,save,len);
+        PK11_ExitContextMonitor(cx);
+    } else {
+	PORT_Assert(cx->savedData != NULL);
+	if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(cx->savedData,save,len);
+	    cx->savedLength = len;
+	}
+    }
+    return rv;
+}
+
+/*
+ * This is  to get FIPS compliance until we can convert
+ * libjar to use PK11_ hashing functions. It returns PR_FALSE
+ * if we can't get a PK11 Context.
+ */
+PRBool
+PK11_HashOK(SECOidTag algID) {
+    PK11Context *cx;
+
+    cx = PK11_CreateDigestContext(algID);
+    if (cx == NULL) return PR_FALSE;
+    PK11_DestroyContext(cx, PR_TRUE);
+    return PR_TRUE;
+}
+
+
+
+/*
+ * start a new digesting or Mac'ing operation on this context
+ */
+SECStatus PK11_DigestBegin(PK11Context *cx)
+{
+    CK_MECHANISM mech_info;
+    SECStatus rv;
+
+    if (cx->init == PR_TRUE) {
+	return SECSuccess;
+    }
+
+    /*
+     * make sure the old context is clear first
+     */
+    PK11_EnterContextMonitor(cx);
+    pk11_Finalize(cx);
+
+    mech_info.mechanism = cx->type;
+    mech_info.pParameter = cx->param->data;
+    mech_info.ulParameterLen = cx->param->len;
+    rv = pk11_context_init(cx,&mech_info);
+    PK11_ExitContextMonitor(cx);
+
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+    cx->init = PR_TRUE;
+    return SECSuccess;
+}
+
+SECStatus
+PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
+								int32 len) {
+    PK11Context *context;
+    unsigned int max_length;
+    unsigned int out_length;
+    SECStatus rv;
+
+    context = PK11_CreateDigestContext(hashAlg);
+    if (context == NULL) return SECFailure;
+
+    rv = PK11_DigestBegin(context);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    rv = PK11_DigestOp(context, in, len);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    /* we need the output length ... maybe this should be table driven...*/
+    switch (hashAlg) {
+    case  SEC_OID_SHA1: max_length = SHA1_LENGTH; break;
+    case  SEC_OID_MD2: max_length = MD2_LENGTH; break;
+    case  SEC_OID_MD5: max_length = MD5_LENGTH; break;
+    default: max_length = 16; break;
+    }
+
+    rv = PK11_DigestFinal(context,out,&out_length,max_length);
+    PK11_DestroyContext(context, PR_TRUE);
+    return rv;
+}
+
+
+/*
+ * execute a bulk encryption operation
+ */
+SECStatus
+PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
+				int maxout, unsigned char *in, int inlen)
+{
+    CK_RV crv = CKR_OK;
+    CK_ULONG length = maxout;
+    CK_ULONG offset =0;
+    PK11SymKey *symKey = context->key;
+    SECStatus rv = SECSuccess;
+    unsigned char *saveOut = out;
+    unsigned char *allocOut = NULL;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    /*
+     * The fortezza hack is to send 8 extra bytes on the first encrypted and
+     * loose them on the first decrypt.
+     */
+    if (context->fortezzaHack) {
+	unsigned char random[8];
+	if (context->operation == CKA_ENCRYPT) {
+	    PK11_ExitContextMonitor(context);
+	    rv = PK11_GenerateRandom(random,sizeof(random));
+    	    PK11_EnterContextMonitor(context);
+
+	    /* since we are offseting the output, we can't encrypt back into
+	     * the same buffer... allocate a temporary buffer just for this
+	     * call. */
+	    allocOut = out = (unsigned char*)PORT_Alloc(maxout);
+	    if (out == NULL) {
+		PK11_ExitContextMonitor(context);
+		return SECFailure;
+	    }
+	    crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+		random,sizeof(random),out,&length);
+
+	    out += length;
+	    maxout -= length;
+	    offset = length;
+	} else if (context->operation == CKA_DECRYPT) {
+	    length = sizeof(random);
+	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+		in,sizeof(random),random,&length);
+	    inlen -= length;
+	    in += length;
+	    context->fortezzaHack = PR_FALSE;
+	}
+    }
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+						in, inlen, out, &length);
+	length += offset;
+	break;
+    case CKA_DECRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+						in, inlen, out, &length);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	*outlen = 0;
+        rv = SECFailure;
+    } else {
+    	*outlen = length;
+    }
+
+    if (context->fortezzaHack) {
+	if (context->operation == CKA_ENCRYPT) {
+	    PORT_Assert(allocOut);
+	    PORT_Memcpy(saveOut, allocOut, length);
+	    PORT_Free(allocOut);
+	}
+	context->fortezzaHack = PR_FALSE;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * execute a digest/signature operation
+ */
+SECStatus
+PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) 
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    switch (context->operation) {
+    /* also for MAC'ing */
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session,
+						     (unsigned char *)in, 
+						     inLen);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * Digest a key if possible./
+ */
+SECStatus
+PK11_DigestKey(PK11Context *context, PK11SymKey *key)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+    PK11SymKey *newKey = NULL;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    if (context->slot != key->slot) {
+	newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key);
+    } else {
+	newKey = PK11_ReferenceSymKey(key);
+    }
+
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+            PK11_FreeSymKey(newKey);
+	    return rv;
+	}
+    }
+
+
+    if (newKey == NULL) {
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	if (key->data.data) {
+	    crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+					key->data.data,key->data.len);
+	}
+    } else {
+	crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session,
+							newKey->objectID);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    if (newKey) PK11_FreeSymKey(newKey);
+    return rv;
+}
+
+/*
+ * externally callable version of the lowercase pk11_finalize().
+ */
+SECStatus
+PK11_Finalize(PK11Context *context) {
+    SECStatus rv;
+
+    PK11_EnterContextMonitor(context);
+    rv = pk11_Finalize(context);
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * clean up a cipher operation, so the session can be used by
+ * someone new.
+ */
+SECStatus
+pk11_Finalize(PK11Context *context)
+{
+    CK_ULONG count = 0;
+    CK_RV crv;
+
+    if (!context->ownSession) {
+	return SECSuccess;
+    }
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+				NULL,count);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+				NULL,&count);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ *  Return the final digested or signed data...
+ *  this routine can either take pre initialized data, or allocate data
+ *  either out of an arena or out of the standard heap.
+ */
+SECStatus
+PK11_DigestFinal(PK11Context *context,unsigned char *data, 
+			unsigned int *outLen, unsigned int length)
+{
+    CK_ULONG len;
+    CK_RV crv;
+    SECStatus rv;
+
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    len = length;
+    switch (context->operation) {
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+				data,&len);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+				data,len);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+				data,&len);
+	break;
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				data, &len);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+				data, &len);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+    PK11_ExitContextMonitor(context);
+
+    *outLen = (unsigned int) len;
+    context->init = PR_FALSE; /* allow Begin to start up again */
+
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/****************************************************************************
+ *
+ * Now Do The PBE Functions Here...
+ *
+ ****************************************************************************/
+
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
+{
+    SECAlgorithmID *algid;
+
+    algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, iteration);
+    return algid;
+}
+
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
+	       					PRBool faulty3DES, void *wincx)
+{
+    /* pbe stuff */
+    CK_PBE_PARAMS *pbe_params;
+    CK_MECHANISM_TYPE type;
+    SECItem *mech;
+    PK11SymKey *symKey;
+
+    mech = PK11_ParamFromAlgid(algid);
+    type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
+    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
+	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
+    }
+    if(mech == NULL) {
+	return NULL;
+    }
+
+    pbe_params = (CK_PBE_PARAMS *)mech->data;
+    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwitem->len);
+    if(pbe_params->pPassword != NULL) {
+	PORT_Memcpy(pbe_params->pPassword, pwitem->data, pwitem->len);
+	pbe_params->ulPasswordLen = pwitem->len;
+    } else {
+	SECITEM_ZfreeItem(mech, PR_TRUE);
+	return NULL;
+    }
+
+    symKey = PK11_KeyGen(slot, type, mech, 0, wincx);
+
+    PORT_ZFree(pbe_params->pPassword, pwitem->len);
+    SECITEM_ZfreeItem(mech, PR_TRUE);
+    return symKey;
+}
+
+
+SECStatus 
+PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
+			SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+			SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+			PRBool isPrivate, KeyType keyType, unsigned int keyUsage,
+			void *wincx)
+{
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *pbe_param, crypto_param;
+    PK11SymKey *key = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM cryptoMech, pbeMech;
+    CK_RV crv;
+    SECKEYPrivateKey *privKey = NULL;
+    PRBool faulty3DES = PR_FALSE;
+    int usageCount;
+    CK_KEY_TYPE key_type;
+    CK_ATTRIBUTE_TYPE *usage;
+    CK_ATTRIBUTE_TYPE rsaUsage[] = {
+		 CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
+    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
+    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
+
+    if((epki == NULL) || (pwitem == NULL))
+	return SECFailure;
+
+    crypto_param.data = NULL;
+
+    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
+					&epki->algorithm.algorithm));
+
+    switch (keyType) {
+    default:
+    case rsaKey:
+	key_type = CKK_RSA;
+	switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
+	case KU_KEY_ENCIPHERMENT:
+	    usage = rsaUsage;
+	    usageCount = 2;
+	    break;
+	case KU_DIGITAL_SIGNATURE:
+	    usage = &rsaUsage[2];
+	    usageCount = 2;
+	    break;
+	case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
+	case 0: /* default to everything */
+	    usage = rsaUsage;
+	    usageCount = 4;
+	    break;
+	}
+        break;
+    case dhKey:
+	key_type = CKK_DH;
+	usage = dhUsage;
+	usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
+	break;
+    case dsaKey:
+	key_type = CKK_DSA;
+	usage = dsaUsage;
+	usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
+	break;
+    }
+
+try_faulty_3des:
+    pbe_param = PK11_ParamFromAlgid(&epki->algorithm);
+
+    key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx);
+    if((key == NULL) || (pbe_param == NULL)) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    pbeMech.mechanism = mechanism;
+    pbeMech.pParameter = pbe_param->data;
+    pbeMech.ulParameterLen = pbe_param->len;
+
+    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
+					        pwitem, faulty3DES);
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
+    crypto_param.data = (unsigned char*)cryptoMech.pParameter;
+    crypto_param.len = cryptoMech.ulParameterLen;
+
+    privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism, 
+				 &crypto_param, &epki->encryptedData, 
+				 nickname, publicValue, isPerm, isPrivate,
+				 key_type, usage, usageCount, wincx);
+    if(privKey) {
+	SECKEY_DestroyPrivateKey(privKey);
+	privKey = NULL;
+	rv = SECSuccess;
+	goto done;
+    }
+
+    /* if we are unable to import the key and the mechanism is 
+     * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
+     * the encrypted blob was created with a buggy key generation method
+     * which is described in the PKCS 12 implementation notes.  So we
+     * need to try importing via that method.
+     */ 
+    if((mechanism == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
+	/* clean up after ourselves before redoing the key generation. */
+
+	PK11_FreeSymKey(key);
+	key = NULL;
+
+	if(pbe_param) {
+	    SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	    pbe_param = NULL;
+	}
+
+	if(crypto_param.data) {
+	    SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+	    crypto_param.data = NULL;
+	    cryptoMech.pParameter = NULL;
+	    crypto_param.len = cryptoMech.ulParameterLen = 0;
+	}
+
+	faulty3DES = PR_TRUE;
+	goto try_faulty_3des;
+    }
+
+    /* key import really did fail */
+    rv = SECFailure;
+
+done:
+    if(pbe_param != NULL) {
+	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    if(crypto_param.data != NULL) {
+	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+
+    return rv;
+}
+
+/*
+ * import a private key info into the desired slot
+ */
+SECStatus
+PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_KEY_TYPE keyType = CKK_RSA;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[20];
+    int templateCount = 0;
+    SECStatus rv = SECFailure;
+    SECKEYLowPrivateKey *lpk = NULL;
+    const SEC_ASN1Template *keyTemplate, *paramTemplate;
+    void *paramDest = NULL;
+    PRArenaPool *arena;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *signedattr = NULL;
+    int signedcount = 0;
+    CK_ATTRIBUTE *ap;
+    SECItem *ck_id = NULL;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    /* need to change this to use RSA/DSA keys */
+    lpk = (SECKEYLowPrivateKey *)PORT_ArenaZAlloc(arena,
+						  sizeof(SECKEYLowPrivateKey));
+    if(lpk == NULL) {
+	goto loser;
+    }
+    lpk->arena = arena;
+
+    attrs = theTemplate;
+    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    keyTemplate = SECKEY_RSAPrivateKeyTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = rsaKey;
+	    keyType = CKK_RSA;
+	    break;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	    if(!publicValue) {
+		goto loser;
+	    }
+	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
+	    paramTemplate = SECKEY_PQGParamsTemplate;
+	    paramDest = &(lpk->u.dsa.params);
+	    lpk->keyType = dsaKey;
+	    keyType = CKK_DSA;
+	    break;
+	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	    if(!publicValue) {
+		goto loser;
+	    }
+	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = dhKey;
+	    keyType = CKK_DH;
+	    break;
+
+	default:
+	    keyTemplate   = NULL;
+	    paramTemplate = NULL;
+	    paramDest     = NULL;
+	    break;
+    }
+
+    if(!keyTemplate) {
+	goto loser;
+    }
+
+    /* decode the private key and any algorithm parameters */
+    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+    if(paramDest && paramTemplate) {
+	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
+				 &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+
+    switch (lpk->keyType) {
+    case rsaKey:
+	    PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, 
+				(keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    if (nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; 
+	    } 
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
+						lpk->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     			lpk->u.rsa.publicExponent.data,
+				lpk->u.rsa.publicExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, 
+	     			lpk->u.rsa.privateExponent.data,
+				lpk->u.rsa.privateExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_1, 
+	     			lpk->u.rsa.prime1.data,
+				lpk->u.rsa.prime1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_2, 
+	     			lpk->u.rsa.prime2.data,
+				lpk->u.rsa.prime2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_1, 
+	     			lpk->u.rsa.exponent1.data,
+				lpk->u.rsa.exponent1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_2, 
+	     			lpk->u.rsa.exponent2.data,
+				lpk->u.rsa.exponent2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_COEFFICIENT, 
+	     			lpk->u.rsa.coefficient.data,
+				lpk->u.rsa.coefficient.len); attrs++;
+	    break;
+    case dsaKey:
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dsa key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dsa.params.prime.data,
+				lpk->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
+				lpk->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dsa.params.base.data,
+					lpk->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dsa.privateValue.data, 
+					lpk->u.dsa.privateValue.len); attrs++;
+	    break;
+     case dhKey:
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dh key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dh.prime.data,
+				lpk->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dh.base.data,
+					lpk->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dh.privateValue.data, 
+					lpk->u.dh.privateValue.len); attrs++;
+	    break;
+	/* what about fortezza??? */
+    default:
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	    goto loser;
+    }
+    templateCount = attrs - theTemplate;
+    PR_ASSERT(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
+    signedcount = attrs - signedattr;
+
+    for (ap=signedattr; signedcount; ap++, signedcount--) {
+	pk11_SignedToUnsigned(ap);
+    }
+
+    rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
+			theTemplate, templateCount, isPerm, &objectID);
+
+    if (ck_id) {
+	SECITEM_ZfreeItem(ck_id, PR_TRUE);
+    }
+
+loser:
+    if (lpk!= NULL) {
+	SECKEY_LowDestroyPrivateKey(lpk);
+    }
+
+    return rv;
+}
+
+SECKEYPrivateKeyInfo *
+PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
+{
+    return NULL;
+}
+
+static int
+pk11_private_key_encrypt_buffer_length(SECKEYPrivateKey *key)
+				
+{
+    CK_ATTRIBUTE rsaTemplate = { CKA_MODULUS, NULL, 0 };
+    CK_ATTRIBUTE dsaTemplate = { CKA_PRIME, NULL, 0 };
+    CK_ATTRIBUTE_PTR pTemplate;
+    CK_RV crv;
+    int length;
+
+    if(!key) {
+	return -1;
+    }
+
+    switch (key->keyType) {
+	case rsaKey:
+	    pTemplate = &rsaTemplate;
+	    break;
+	case dsaKey:
+	case dhKey:
+	    pTemplate = &dsaTemplate;
+	    break;
+	case fortezzaKey:
+	default:
+	    pTemplate = NULL;
+    }
+
+    if(!pTemplate) {
+	return -1;
+    }
+
+    crv = PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID, 
+								pTemplate, 1);
+    if(crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+
+    length = pTemplate->ulValueLen;
+    length *= 10;
+
+    if(pTemplate->pValue != NULL) {
+	PORT_Free(pTemplate->pValue);
+    }
+
+    return length;
+}
+
+SECKEYEncryptedPrivateKeyInfo * 
+PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
+   SECItem *pwitem, CERTCertificate *cert, int iteration, void *wincx)
+{
+    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+    SECKEYPrivateKey *pk;
+    PRArenaPool *arena = NULL;
+    SECAlgorithmID *algid;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *pbe_param = NULL, crypto_param;
+    PK11SymKey *key = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM pbeMech, cryptoMech;
+    CK_RV crv;
+    SECItem encryptedKey = {siBuffer,NULL,0};
+    int encryptBufLen;
+
+    if(!pwitem)
+	return NULL;
+
+    crypto_param.data = NULL;
+
+    arena = PORT_NewArena(2048);
+    epki = (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(arena, 
+    		sizeof(SECKEYEncryptedPrivateKeyInfo));
+    if(epki == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    epki->arena = arena;
+    algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
+    if(algid == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
+    pbe_param = PK11_ParamFromAlgid(algid);
+    pbeMech.mechanism = mechanism;
+    pbeMech.pParameter = pbe_param->data;
+    pbeMech.ulParameterLen = pbe_param->len;
+    key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx);
+
+    if((key == NULL) || (pbe_param == NULL)) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
+						pwitem, PR_FALSE);
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
+    crypto_param.data = (unsigned char *)cryptoMech.pParameter;
+    crypto_param.len = cryptoMech.ulParameterLen;
+
+    pk = PK11_FindKeyByAnyCert(cert, wincx);
+    if(pk == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    encryptBufLen = pk11_private_key_encrypt_buffer_length(pk); 
+    if(encryptBufLen == -1) {
+	rv = SECFailure;
+	goto loser;
+    }
+    encryptedKey.len = (unsigned int)encryptBufLen;
+    encryptedKey.data = (unsigned char *)PORT_ZAlloc(encryptedKey.len);
+    if(!encryptedKey.data) {
+	rv = SECFailure;
+	goto loser;
+    }
+	
+    /* we are extracting an encrypted privateKey structure.
+     * which needs to be freed along with the buffer into which it is
+     * returned.  eventually, we should retrieve an encrypted key using
+     * pkcs8/pkcs5.
+     */
+    PK11_EnterSlotMonitor(pk->pkcs11Slot);
+    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
+    		&cryptoMech, key->objectID, pk->pkcs11ID, encryptedKey.data, 
+		(CK_ULONG_PTR)(&encryptedKey.len)); 
+    PK11_ExitSlotMonitor(pk->pkcs11Slot);
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(!encryptedKey.len) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    rv = SECITEM_CopyItem(arena, &epki->encryptedData, &encryptedKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
+
+loser:
+    if(pbe_param != NULL) {
+	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    if(crypto_param.data != NULL) {
+	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+	crypto_param.data = NULL;
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+
+    if(rv == SECFailure) {
+	if(arena != NULL) {
+	    PORT_FreeArena(arena, PR_TRUE);
+	}
+	epki = NULL;
+    }
+
+    return epki;
+}
+
+
+/*
+ * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
+ * working. This function simply gets a valid IV for the keys.
+ */
+SECStatus
+PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len)
+{
+    CK_MECHANISM mech_info;
+    CK_ULONG count = 0;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+
+    mech_info.mechanism = CKM_SKIPJACK_CBC64;
+    mech_info.pParameter = iv;
+    mech_info.ulParameterLen = len;
+
+    /* generate the IV for fortezza */
+    PK11_EnterSlotMonitor(symKey->slot);
+    crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session,
+				&mech_info, symKey->objectID);
+    if (crv == CKR_OK) {
+	PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, 
+								NULL, &count);
+	rv = SECSuccess;
+    }
+    PK11_ExitSlotMonitor(symKey->slot);
+    return rv;
+}
+
+SECKEYPrivateKey *
+PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
+		   SECItem *wrappedKey, SECItem *label, 
+		   SECItem *idValue, PRBool perm, PRBool sensitive,
+		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
+		   void *wincx)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE keyTemplate[15] ;
+    int templateCount = 0;
+    CK_OBJECT_HANDLE privKeyID;
+    CK_MECHANISM mechanism;
+    CK_ATTRIBUTE *attrs = keyTemplate;
+    SECItem *param_free = NULL, *ck_id;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+    PK11SymKey *newKey = NULL;
+    int i;
+
+    if(!slot || !wrappedKey || !idValue) {
+	/* SET AN ERROR!!! */
+	return NULL;
+    }
+
+    ck_id = PK11_MakeIDFromPubKey(idValue);
+    if(!ck_id) {
+	return NULL;
+    }
+
+    PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse,
+					sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++;
+    for (i=0; i < usageCount; i++) {
+    	PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++;
+    }
+
+    if (PK11_IsInternal(slot)) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, 
+		      idValue->len); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) );
+
+    mechanism.mechanism = wrapType;
+    if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL);
+    if(param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if (wrappingKey->slot != slot) {
+	newKey = pk11_CopyToSlot(slot,wrapType,CKA_WRAP,wrappingKey);
+    } else {
+	newKey = PK11_ReferenceSymKey(wrappingKey);
+    }
+
+    if (newKey) {
+	if (perm) {
+	    rwsession = PK11_GetRWSession(slot);
+	} else {
+	    rwsession = slot->session;
+	}
+	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
+					 newKey->objectID,
+					 wrappedKey->data, 
+					 wrappedKey->len, keyTemplate, 
+					 templateCount, &privKeyID);
+
+	if (perm) PK11_RestoreROSession(slot, rwsession);
+	PK11_FreeSymKey(newKey);
+    } else {
+	crv = CKR_FUNCTION_NOT_SUPPORTED;
+    }
+
+    if(ck_id) {
+	SECITEM_FreeItem(ck_id, PR_TRUE);
+	ck_id = NULL;
+    }
+
+    if (crv != CKR_OK) {
+	/* we couldn't unwrap the key, use the internal module to do the
+	 * unwrap, then load the new key into the token */
+	 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	if (int_slot && (slot != int_slot)) {
+	    SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot,
+			wrappingKey, wrapType, param, wrappedKey, label,
+			idValue, PR_FALSE, PR_FALSE, 
+			keyType, usage, usageCount, wincx);
+	    if (privKey) {
+		SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
+						NULL,perm,sensitive);
+		SECKEY_DestroyPrivateKey(privKey);
+		PK11_FreeSlot(int_slot);
+		return newPrivKey;
+	    }
+	}
+	if (int_slot) PK11_FreeSlot(int_slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
+}
+
+#define ALLOC_BLOCK  10
+
+/*
+ * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey
+ * The strategy is to get both keys to reside in the same slot,
+ * one that can perform the desired crypto mechanism and then
+ * call C_WrapKey after all the setup has taken place.
+ */
+SECStatus
+PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, 
+		 SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, 
+		 SECItem *param, SECItem *wrappedKey, void *wincx)
+{
+    PK11SlotInfo     *privSlot   = privKey->pkcs11Slot; /* The slot where
+							 * the private key
+							 * we are going to
+							 * wrap lives.
+							 */
+    PK11SymKey       *newSymKey  = NULL;
+    SECKEYPrivateKey *newPrivKey = NULL;
+    SECItem          *param_free = NULL;
+    CK_ULONG          len        = wrappedKey->len;
+    CK_MECHANISM      mech;
+    CK_RV             crv;
+
+    if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) {
+        /* Figure out a slot that does the mechanism and try to import
+	 * the private key onto that slot.
+	 */
+        PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	privSlot = int_slot; /* The private key has a new home */
+	newPrivKey = pk11_loadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE);
+	if (newPrivKey == NULL) {
+	    PK11_FreeSlot (int_slot);
+	    return SECFailure;
+	}
+	privKey = newPrivKey;
+    }
+
+    if (privSlot != wrappingKey->slot) {
+        newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, 
+				     wrappingKey);
+	wrappingKey = newSymKey;
+    }
+
+    if (wrappingKey == NULL) {
+        if (newPrivKey) {
+		SECKEY_DestroyPrivateKey(newPrivKey);
+	}
+	return SECFailure;
+    }
+    mech.mechanism = wrapType;
+    if (!param) {
+        param = param_free = PK11_ParamFromIV(wrapType, NULL);
+    }
+    if (param) {
+        mech.pParameter     = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+        mech.pParameter     = NULL;
+	mech.ulParameterLen = 0;
+    }
+
+    PK11_EnterSlotMonitor(privSlot);
+    crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, 
+					   wrappingKey->objectID, 
+					   privKey->pkcs11ID,
+					   wrappedKey->data, &len);
+    PK11_ExitSlotMonitor(privSlot);
+
+    if (newSymKey) {
+        PK11_FreeSymKey(newSymKey);
+    }
+    if (newPrivKey) {
+        SECKEY_DestroyPrivateKey(newPrivKey);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    wrappedKey->len = len;
+    return SECSuccess;
+}
+    
+void   
+PK11_SetFortezzaHack(PK11SymKey *symKey) { 
+   symKey->origin = PK11_OriginFortezzaHack;
+}
+
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 000000000..9b151a097
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,313 @@
+#! /bin/ksh  
+#
+# This is just a quick script so we can still run our testcases.
+# Longer term we need a scriptable test environment..
+#
+. ../common/init.sh
+CURDIR=`pwd`
+PORT=${PORT-8443}
+
+# Test case files
+SSLCOV=${CURDIR}/sslcov.txt
+SSLAUTH=${CURDIR}/sslauth.txt
+SSLSTRESS=${CURDIR}/sslstress.txt
+REQUEST_FILE=${CURDIR}/sslreq.txt
+
+#temparary files
+TMP=${TMP-/tmp}
+PWFILE=${TMP}/tests.pw.$$
+CERTSCRIPT=${TMP}/tests_certs.$$
+NOISE_FILE=${TMP}/tests_noise.$$
+SERVEROUTFILE=${TMP}/tests_server.$$
+SERVERPID=${TMP}/tests_pid.$$
+
+TEMPFILES="${PWFILE} ${CERTSCRIPT} ${SERVEROUTFILE} ${NOISE_FILE} ${SERVERPID}"
+
+none=1
+coverage=0
+auth=0
+stress=0
+certs=1
+fileout=0
+
+for i in $*
+do
+    case $i in
+    [aA][lL]*)
+	none=0; coverage=1; auth=1; stress=1;;
+    [aA][uU]*)
+	none=0; auth=1;;
+    [Nn][Oo][aA][uU]*)
+	auth=0;;
+    [Cc][Oo]*)
+	none=0; coverage=1;;
+    [Nn][Oo][Cc][Oo]*)
+	coverage=0;;
+    [Cc][Ee]*)
+	none=0; certs=1;;
+    [Nn][Oo][Cc][Ee]*)
+	certs=0;;
+    [Ss]*)
+	none=0; stress=1;;
+    [Nn][Oo][Ss]*)
+	stress=0;;
+     f)
+	fileout=1;
+     esac
+done
+
+if [ $none -eq 1 ]; then
+    coverage=1
+    auth=1
+    stress=1
+fi
+    
+
+#
+# should also try to kill any running server
+#
+trap "rm -f ${TEMPFILES};  exit"  2 3
+
+if [ $certs -eq 1 ]; then
+# Generate noise for our CA cert.
+#
+# NOTE: these keys are only suitable for testing, as this whole thing bypasses
+# the entropy gathering. Don't use this method to generate keys and certs for
+# product use or deployment.
+#
+ps -efl > ${NOISE_FILE} 2>&1
+ps aux >> ${NOISE_FILE} 2>&1
+netstat >> ${NOISE_FILE} 2>&1
+date >> ${NOISE_FILE} 2>&1
+
+#
+# build the TEMP CA used for testing purposes
+# 
+echo "<TABLE BORDER=1><TR><TH COLSPAN=3>Certutil Tests</TH></TR>" >> ${RESULTS}
+echo "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" >> ${RESULTS}
+CADIR=${HOSTDIR}/CA
+echo "********************** Creating a CA Certificate **********************"
+if [ ! -d ${CADIR} ]; then
+   mkdir -p ${CADIR}
+fi
+cd ${CADIR}
+echo nss > ${PWFILE}
+echo "   certutil -N -d . -f ${PWFILE}"
+certutil -N -d . -f ${PWFILE}
+
+echo initialized
+echo 5 > ${CERTSCRIPT}
+echo 9 >> ${CERTSCRIPT}
+echo n >> ${CERTSCRIPT}
+echo y >> ${CERTSCRIPT}
+echo 3 >> ${CERTSCRIPT}
+echo n >> ${CERTSCRIPT}
+echo 5 >> ${CERTSCRIPT}
+echo 6 >> ${CERTSCRIPT}
+echo 7 >> ${CERTSCRIPT}
+echo 9 >> ${CERTSCRIPT}
+echo n >> ${CERTSCRIPT}
+echo    "certutil -S -n \"TestCA\" -s \"CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US\" -t \"CTu,CTu,CTu\" -v 60 -x -d . -1 -2 -5 -f ${PWFILE} -z ${NOISE_FILE}"
+certutil -S -n "TestCA" -s "CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" -t "CTu,CTu,CTu" -v 60 -x -d . -1 -2 -5 -f ${PWFILE} -z ${NOISE_FILE} < ${CERTSCRIPT}
+
+if [ $? -ne 0 ]; then
+    echo "<TR><TD>Creating CA Cert</TD><TD bgcolor=red>Failed</TD><TR>" >> ${RESULTS}
+else
+    echo "<TR><TD>Creating CA Cert</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+fi
+
+echo "**************** Creating Client CA Issued Certificate ****************"
+netstat >> ${NOISE_FILE} 2>&1
+date >> ${NOISE_FILE} 2>&1
+CLIENTDIR=${HOSTDIR}/client
+if [ ! -d ${CLIENTDIR} ]; then
+   mkdir -p ${CLIENTDIR}
+fi
+cd ${CLIENTDIR}
+echo "   certutil -N -d . -f ${PWFILE}"
+certutil -N -d . -f ${PWFILE}
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Init DB"}
+fi
+echo "Import the root CA"
+echo "   certutil -L -n \"TestCA\" -r -d ../CA > root.cert"
+certutil -L -n "TestCA" -r -d ../CA > root.cert
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Export Root"}
+fi
+echo "   certutil -A -n \"TestCA\" -t \"TC,TC,TC\" -f ${PWFILE} -d . -i root.cert"
+certutil -A -n "TestCA" -t "TC,TC,TC" -f ${PWFILE} -d . -i root.cert
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Import Root"}
+fi
+echo "Generate a Certificate request"
+echo  "  certutil -R -s \"CN=Test User, O=BOGUS Netscape, L=Mountain View, ST=California, C=US\" -d . -f ${PWFILE} -z ${NOISE_FILE} -o req"
+certutil -R -s "CN=Test User, O=BOGUS NSS, L=Mountain View, ST=California, C=US" -d . -f ${PWFILE} -z ${NOISE_FILE} -o req
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Generate Request"}
+fi
+echo "Sign the Certificate request"
+echo  "certutil -C -c "TestCA" -m 3 -v 60 -d ../CA -f ${PWFILE} -i req -o user.cert"
+certutil -C -c "TestCA" -m 3 -v 60 -d ../CA -i req -o user.cert -f ${PWFILE}
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Sign User Cert"}
+fi
+echo "Import the new Cert"
+echo "certutil -A -n \"TestUser\" -t \"u,u,u\" -d . -f ${PWFILE} -i user.cert"
+certutil -A -n "TestUser" -t "u,u,u" -d . -f ${PWFILE} -i user.cert
+if [ $? -ne 0 ]; then
+   CERTFAILED=${CERTFAILED-"Import User"}
+fi
+if [ -n "${CERTFAILED}" ]; then
+    echo "<TR><TD>Creating User Cert</TD><TD bgcolor=red>Failed ($CERTFAILED)</TD><TR>" >> ${RESULTS}
+else
+    echo "<TR><TD>Creating User Cert</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+fi
+
+echo "***** Creating Server CA Issued Certificate for ${HOST}.${DOMSUF} *****"
+netstat >> ${NOISE_FILE} 2>&1
+date >> ${NOISE_FILE} 2>&1
+SERVERDIR=${HOSTDIR}/server
+if [ ! -d ${SERVERDIR} ]; then
+   mkdir -p ${SERVERDIR}
+fi
+cd ${SERVERDIR}
+cp ../CA/*.db .
+echo "certutil -S -n \"${HOST}.${DOMSUF}\" -s \"CN=${HOST}.${DOMSUF}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US\" -t \"Pu,Pu,Pu\" -c "TestCA" -v 60  -d . -f ${PWFILE} -z ${NOISE_FILE}"
+certutil -S -n "${HOST}.${DOMSUF}" -s "CN=${HOST}.${DOMSUF}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" -t "Pu,Pu,Pu" -c "TestCA" -m 1 -v 60 -d . -f ${PWFILE} -z ${NOISE_FILE}
+if [ $? -ne 0 ]; then
+    echo "<TR><TD>Creating Server Cert</TD><TD bgcolor=red>Failed</TD><TR>" >> ${RESULTS}
+else
+    echo "<TR><TD>Creating Server Cert</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+fi
+echo "</TABLE><BR>" >> ${RESULTS}
+
+rm -f ${TEMPFILES}
+fi
+
+
+# OK now lets run the tests....
+if [ $coverage -eq 1 ]; then
+echo "********************* SSL Cipher Coverage  ****************************"
+echo "<TABLE BORDER=1><TR><TH COLSPAN=3>SSL Cipher Coverage</TH></TR>" >> ${RESULTS}
+echo "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" >> ${RESULTS}
+cd ${CLIENTDIR}
+ cat ${SSLCOV} | while read tls param testname
+do
+    if [ $tls != "#" ]; then
+	echo "********************* $testname ****************************"
+	TLS_FLAG=-T
+	if [ $tls = "TLS" ]; then
+	    TLS_FLAG=""
+	fi
+	sparam=""
+	if [ ${param} = "i" ]; then
+		sparam='-c i'
+	fi
+	echo "selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -i ${SERVERPID} -w nss ${sparam} & "
+	if [ ${fileout} -eq 1 ]; then
+	    selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -i ${SERVERPID} -w nss ${sparam} > ${SERVEROUTFILE} 2>&1 & 
+	else
+	    selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} & 
+	fi
+	sleep 10
+
+	tstclnt -p ${PORT} -h ${HOST} -c ${param} ${TLS_FLAG} -f -d . < ${REQUEST_FILE}
+	if [ $? -ne 0 ]; then
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=red>Failed</TD><TR>" >> ${RESULTS}
+	else
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+	fi
+	${KILL} `cat ${SERVERPID}`
+	wait `cat ${SERVERPID}`
+	if [ ${fileout} -eq 1 ]; then
+	   cat ${SERVEROUTFILE}
+	fi
+	${SLEEP}
+    fi
+done 
+
+echo "</TABLE><BR>" >> ${RESULTS}
+fi
+
+if [ $auth -eq 1 ]; then
+echo "********************* SSL Client Auth  ****************************"
+cd ${CLIENTDIR}
+echo "<TABLE BORDER=1><TR><TH COLSPAN=3>SSL Client Authentication</TH></TR>" >> ${RESULTS}
+echo "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" >> ${RESULTS}
+
+cat ${SSLAUTH} | while read value sparam cparam testname
+do
+    if [ $value != "#" ]; then
+	echo "***** $testname ****"
+	sparam=`echo $sparam | sed -e 's;_; ;g'`
+	cparam=`echo $cparam | sed -e 's;_; ;g'`
+	echo "selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} &"
+	if [ ${fileout} -eq 1 ]; then
+	    selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} > ${SERVEROUTFILE} 2>&1 &
+	else
+	    selfserv -v -p ${PORT} -d ${SERVERDIR} -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} &
+	fi
+	sleep 10
+	pwd
+	echo "tstclnt -p ${PORT} -h ${HOST} -f -d ${CLIENTDIR} ${cparam}"
+	tstclnt -p ${PORT} -h ${HOST} -f -d ${CLIENTDIR} ${cparam} < ${REQUEST_FILE}
+	rc=$?
+echo "Return code = $rc expected value = ${value} "
+	if [ $rc -ne ${value} ]; then
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=red>Failed</TD><TR>" >> ${RESULTS}
+	else
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+	fi
+	${KILL} `cat ${SERVERPID}`
+	wait `cat ${SERVERPID}`
+	if [ ${fileout} -eq 1 ]; then
+	   cat ${SERVEROUTFILE}
+	fi
+	${SLEEP}
+     fi
+done 
+
+echo "</TABLE><BR>" >> ${RESULTS}
+fi
+
+
+if [ $stress -eq 1 ]; then
+echo "********************* Stress Test  ****************************"
+cd ${CLIENTDIR}
+echo "<TABLE BORDER=1><TR><TH COLSPAN=3>SSL Stress Test</TH></TR>" >> ${RESULTS}
+echo "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" >> ${RESULTS}
+
+cat ${SSLSTRESS} | while read value sparam cparam testname
+do
+    if [ $value != "#" ]; then
+	echo "********************* $testname ****************************"
+	sparam=`echo $sparam | sed -e 's;_; ;g'`
+	cparam=`echo $cparam | sed -e 's;_; ;g'`
+	echo "selfserv -p ${PORT} -d ${SERVERDIR}  -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} &"
+	if [ ${fileout} -eq 1 ]; then
+	    selfserv -p ${PORT} -d ${SERVERDIR}  -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} > ${SERVEROUTFILE} 2>&1 &
+	else
+	    selfserv -p ${PORT} -d ${SERVERDIR}  -n ${HOST}.${DOMSUF} -w nss ${sparam} -i ${SERVERPID} &
+	fi
+	sleep 10
+
+	strsclnt -p ${PORT} ${HOST} -d . -w nss $cparam 
+	if [ $? -ne $value ]; then
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=red>Failed</TD><TR>" >> ${RESULTS}
+	else
+	    echo "<TR><TD>"${testname}"</TD><TD bgcolor=lightGreen>Passed</TD><TR>" >> ${RESULTS}
+	fi
+	${KILL} `cat ${SERVERPID}`
+	wait `cat ${SERVERPID}`
+	if [ ${fileout} -eq 1 ]; then
+	   cat ${SERVEROUTFILE}
+	fi
+	${SLEEP}
+     fi
+done 
+
+echo "</TABLE><BR>" >> ${RESULTS}
+fi
+
+rm -f ${TEMPFILES}
diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt
index e6beda10f..0c1c25fd9 100644
--- a/security/nss/tests/ssl/sslauth.txt
+++ b/security/nss/tests/ssl/sslauth.txt
@@ -5,17 +5,17 @@
 #  return  server     client                         Test Case name
 #   value  params     params
 #  ------  ------     ------                         ---------------
-     0       -r       -w_nss                 TLS Request don't require client auth (client does not provide auth)
-     0       -r  -n_TestUser_-w_bogus     TLS Request don't require client auth (bad password)
-     0       -r   -n_TestUser_-w_nss      TLS Request don't require client auth (client auth)
-     0     -r_-r       -w_nss                TLS Require client auth (client does not provide auth)
+    -eq      -r       -w_nss                 TLS Request don't require client auth (client does not provide auth)
+    -eq      -r  -n_TestUser_-w_bogus     TLS Request don't require client auth (bad password)
+    -eq      -r   -n_TestUser_-w_nss      TLS Request don't require client auth (client auth)
+    -eq    -r_-r       -w_nss                TLS Require client auth (client does not provide auth)
 # this one should fail
-    254    -r_-r -n_TestUser_-w_bogus     TLS Require client auth (bad password)
-     0     -r_-r  -n_TestUser_-w_nss      TLS Require client auth (client auth)
-     0       -r       -T_-w_nss             SSL3 Request don't require client auth (client does not provide auth)
-     0       -r  -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
-     0       -r   -T_-n_TestUser_-w_nss  SSL3 Request don't require client auth (client auth)
-     0     -r_-r       -T_-w_nss            SSL3 Require client auth (client does not provide auth)
+    -ne    -r_-r -n_TestUser_-w_bogus     TLS Require client auth (bad password)
+    -eq    -r_-r  -n_TestUser_-w_nss      TLS Require client auth (client auth)
+    -eq      -r       -T_-w_nss             SSL3 Request don't require client auth (client does not provide auth)
+    -eq      -r  -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
+    -eq      -r   -T_-n_TestUser_-w_nss  SSL3 Request don't require client auth (client auth)
+    -eq    -r_-r       -T_-w_nss            SSL3 Require client auth (client does not provide auth)
 # this one should fail
-    254    -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
-     0     -r_-r  -T_-n_TestUser_-w_nss  SSL3 Require client auth (client auth)
+    -ne    -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
+    -eq    -r_-r  -T_-n_TestUser_-w_nss  SSL3 Require client auth (client auth)
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
new file mode 100644
index 000000000..456431355
--- /dev/null
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -0,0 +1,14 @@
+#
+# This file defines the tests for client auth.
+#
+# expected
+#  return  server     client                         Test Case name
+#   value  params     params
+#  ------  ------     ------                         ---------------
+     0      _     -c_1000_-C_A             Stress SSL2 RC4 128 with MD5
+     0      _     -c_1000_-C_A             Stress SSL3 RC4 128 with MD5
+#     0      _     -c_1000_-C_c               Stress TLS RC4 128 with MD5
+#
+# add client auth versions here...
+#
+#     0       -r  -n_"Test_User"_-w_bogus     TLS Request don't require client auth (bad password)